php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75968 php-fpm restarts master process in a loop when using Program execution Function
Submitted: 2018-02-16 15:22 UTC Modified: 2018-02-23 16:54 UTC
Votes:26
Avg. Score:5.0 ± 0.2
Reproduced:21 of 21 (100.0%)
Same Version:14 (66.7%)
Same OS:10 (47.6%)
From: schnederle at futureweb dot at Assigned: bukka (profile)
Status: Duplicate Package: FPM related
PHP Version: 7.2.2 OS: Centos/RHEL 7.4
Private report: No CVE-ID: 2015-9253
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
24 + 30 = ?
Subscribe to this entry?

 
 [2018-02-16 15:22 UTC] schnederle at futureweb dot at 
Description:
------------
Follow-Up to already reported Bug #70185 (https://bugs.php.net/bug.php?id=70185)
Still a Problem with current PHP 7.2.2.

When using Program execution Functions (passthru(), exec(), shell_exec(), system(), ...) the php-fpm: master process reproduceable crashes with signal 15 (SIGTERM) which leads to crash-loop, 100% CPU usage and spamming of Logs (30GB within 1 day on my Dev-Server)

Test script:
---------------
<?php
exec('/usr/bin/postcss css_from.css --use autoprefixer --autoprefixer.remove "false" --output css_to.css');
echo 'Done';
?>

Actual result:
--------------
Millions of:
...
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53778 exited on signal 15 (SIGTERM) after 0.046685 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53782 exited on signal 15 (SIGTERM) after 0.045416 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53785 exited on signal 15 (SIGTERM) after 0.045331 seconds from start
[16-Feb-2018 14:48:30] WARNING: [pool www] child 53787 exited on signal 15 (SIGTERM) after 0.044765 seconds from start
...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-16 15:32 UTC] schnederle at futureweb dot at 
correction - not the master process crashes but php-fpm continues to restart the process over and over again using 100% of the CPU on the php-fpm master process. (crash loop)
 [2018-02-16 15:38 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2018-02-16 15:38 UTC] nikic@php.net 
Is it possible to provide a **self-contained** reproducer for this? That is, using something like "ls" rather than "postcss"?

If not, please provide detailed instructions on how to reproduce this, including any necessary input files and instructions for the installation of necessary programs.
 [2018-02-16 15:51 UTC] schnederle at futureweb dot at 
was able to reproduce behaviour "self contained":

Script 1:
<?php
stream_set_blocking(STDIN, false);
echo "Blah";
?>

Script 2:
<?php
passthru('/usr/bin/php /path/to/1.php');
?>

Reproduceable on 2 Machines with php-fpm 7.2.2 and earlier.

As it can be used to DOS Shared Hosting Servers (i.e. all Plesk Servers use PHP-FPM) I think this got some Security implications too.
 [2018-02-16 15:54 UTC] nikic@php.net
-Status: Feedback +Status: Open
 [2018-02-19 13:15 UTC] schnederle at futureweb dot at 
https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
 [2018-02-20 10:38 UTC] schnederle at futureweb dot at 
someone with proper rights please assign CVE-2015-9253 to this Bug Report.

Source:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
- https://www.futureweb.at/security/CVE-2015-9253/
 [2018-02-20 23:07 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes -CVE-ID: +CVE-ID: 2015-9253
 [2018-02-20 23:11 UTC] stas@php.net
-Package: Reproducible crash +Package: FPM related
 [2018-02-20 23:11 UTC] stas@php.net 
Could someone explain to me why this is a security issue? Which permission border is being crossed?
 [2018-02-20 23:12 UTC] stas@php.net 
I mean, if you have process exec privileges, couldn't you just "kill -9" your parent  FPM process from shell and achieve the same effect?
 [2018-02-21 13:18 UTC] cmb@php.net 
> Could someone explain to me why this is a security issue?

Sorry, I can't.  I've merely switched to private, since a CVE had
been assigned.
 [2018-02-23 03:27 UTC] stas@php.net
-Assigned To: +Assigned To: bukka
 [2018-02-23 14:03 UTC] bukka@php.net 
This seems just like a duplicate of the https://bugs.php.net/bug.php?id=70185 that is public already so there is no reason to keep this as a security bug IMHO.
 [2018-02-23 16:54 UTC] nikic@php.net
-Status: Assigned +Status: Duplicate -Type: Security +Type: Bug
 [2018-02-23 16:54 UTC] nikic@php.net 
Duplicate of bug #73342. Unassigning privacy status as this has been public for a long time already.

Bug #73342 also has a patch attached, though I haven't checked if it makes sense.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 09:01:27 2024 UTC