php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76415 Stream Open (fopen) on ssh2_sftp connection segfaults
Submitted: 2018-06-05 11:22 UTC Modified: 2021-02-09 17:18 UTC
Votes:7
Avg. Score:3.7 ± 0.9
Reproduced:7 of 7 (100.0%)
Same Version:1 (14.3%)
Same OS:2 (28.6%)
From: oli dot sennhauser at fromdual dot com Assigned: cmb (profile)
Status: Duplicate Package: ssh2 (PECL)
PHP Version: 7.2.6 OS: Linux Ubuntu 16.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: oli dot sennhauser at fromdual dot com
New email:
PHP Version: OS:

 

 [2018-06-05 11:22 UTC] oli dot sennhauser at fromdual dot com
Description:
------------
apt-cache show php-ssh2
Version: 1.1.2+0.13-1+ubuntu16.04.1+deb.sury.org+1

php --version
PHP 7.2.5-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: May  5 2018 04:59:13) ( NTS )

uname -a
Linux chef 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"

variables_order = "EGPCS"

Can be reproduced at will. Please let me know what you need for additional information...

Test script:
---------------
<?php

// touch /tmp/test

$aArchiveDestination = array('host' => '127.0.0.1', 'port' => 22, 'user' => 'mybackup', 'path' => '/home/mybackup', 'scheme' => 'sftp');
$aOptions = array('policy' => 'daily');
$file = '/tmp/test';

/*
php -f coredump.php 
  Archiving /tmp/test to sftp://mybackup@127.0.0.1:/home/mybackup/daily/testbefore fopen
before fwrite
Segmentation fault (core dumped)
*/

			$lSshConnection = ssh2_connect($aArchiveDestination['host'], $aArchiveDestination['port']);

			$aUserInfo = posix_getpwuid(posix_getuid());

			$lPubKeyFile  = $aUserInfo['dir'] . '/.ssh/id_rsa.pub';
			$lPrivKeyFile = $aUserInfo['dir'] . '/.ssh/id_rsa';
			$lPassPhrase  = '';
			if ( ! ssh2_auth_pubkey_file($lSshConnection, $aArchiveDestination['user'], $lPubKeyFile, $lPrivKeyFile, $lPassPhrase) ) {
				$rc = 9999;
				$msg = '  ERROR: Public Key Authentication on host ' . $aArchiveDestination['host'] . ' failed.' . " (rc=$rc)";
				throw new Exception($msg);
			}

			$dst = $aArchiveDestination['path'] . '/' . $aOptions['policy'] . '/' . basename($file);
			printf("  Archiving $file to " . $aArchiveDestination['scheme'] . '://' . $aArchiveDestination['user'] . '@' . $aArchiveDestination['host'] . ':' . $dst);

			$sftp = ssh2_sftp($lSshConnection);
			// @fopen
			echo "before fopen\n";
			// Here we have the segementation!!!!
			// See also comment here: http://www.php.net/manual/en/function.ssh2-scp-send.php
			// https://stackoverflow.com/questions/7414175/php-sftp-seg-fault
			
			$stream = fopen('ssh2.sftp://' . intval($sftp) . $dst, 'w');
			if ( ! $stream ) {
				$rc = 9999;
				$msg = "  ERROR: Could not open file: $dst" . " (rc=$rc)";
				throw new Exception($msg);
			}

			if ( ! array_key_exists('simulate', $aOptions) ) {

				$lDataToSend = @file_get_contents($file);
				if ( $lDataToSend === false ) {
					$rc = 9999;
					$msg = "  ERROR: Could not open local file: $file." . " (rc=$rc)";
					throw new Exception($msg);
				}
				echo "before fwrite\n";
				if ( @fwrite($stream, $lDataToSend) === false ) {
					$rc = 9999;
					$msg = "  ERROR: Could not send data from file: $file." . " (rc=$rc)";
					throw new Exception($msg);
				}
				@fclose($stream);

			}
			ssh2_disconnect($lSshConnection);


?>

Expected result:
----------------
No:

php -f coredump.php 
  Archiving /tmp/test to sftp://mybackup@127.0.0.1:/home/mybackup/daily/testbefore fopen
before fwrite
Segmentation fault (core dumped)


Actual result:
--------------
warning: core file may not match specified executable file.
[New LWP 31163]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php -f coredump.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fdac86e0900 in ?? () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
(gdb) bt
#0  0x00007fdac86e0900 in ?? () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
#1  0x00007fdac86eccd5 in libssh2_sftp_shutdown () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
#2  0x00007fdac890e973 in php_ssh2_sftp_dtor () from /usr/lib/php/20170718/ssh2.so
#3  0x000055e161e283d1 in ?? ()
#4  0x000055e161e28423 in ?? ()
#5  0x000055e161e258d0 in zend_hash_reverse_apply ()
#6  0x000055e161e00e30 in ?? ()
#7  0x000055e161e1285b in zend_deactivate ()
#8  0x000055e161dac8da in php_request_shutdown ()
#9  0x000055e161ec5a7c in ?? ()
#10 0x000055e161c62e2c in ?? ()
#11 0x00007fdacef0b830 in __libc_start_main (main=0x55e161c629b0, argc=3, argv=0x7fffbb6d56c8, init=<optimised out>, fini=<optimised out>, 
    rtld_fini=<optimised out>, stack_end=0x7fffbb6d56b8) at ../csu/libc-start.c:291
#12 0x000055e161c62f49 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-31 10:00 UTC] phpnetbug at netcode dot fi
Description:
------------
ssh2_disconnect() causes segmentation if ssh2_sftp() has been initialized on the connection.
Without ssh2_disconnect() sftp-subsystem works fine.

OS: CentOS Linux release 7.5.1804 (Core) with continuous release (CR) enabled.
Linux isopannu 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

PHP-versions affected from Remi's repository:
PHP 7.2.11 (cli) (built: Oct 10 2018 08:49:35) ( NTS )
PHP 7.3.0RC4 (cli) (built: Oct 23 2018 09:32:19) ( NTS )

Test script:
------------
<?php
$conn = ssh2_connect(<host>,22);
ssh2_auth_password($conn, "<valid-user>", "<valid-password>");
$sftp = ssh2_sftp($conn);
ssh2_disconnect($conn);

Running cli:
------------
php72 ssh.php 
Segmentation fault

gdb backtrace:
--------------
gdb -ex=r -ex=bt --batch --args /usr/bin/php72 /srv/ssh/ssh.php

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5030f6c in EVP_MD_CTX_cleanup () from /lib64/libcrypto.so.10
#0  0x00007ffff5030f6c in EVP_MD_CTX_cleanup () from /lib64/libcrypto.so.10
#1  0x00007ffff4f9c13d in HMAC_CTX_cleanup () from /lib64/libcrypto.so.10
#2  0x00007fffec1e7134 in mac_method_hmac_sha1_hash () from /lib64/libssh2.so.1
#3  0x00007fffec1f5c39 in _libssh2_transport_send () from /lib64/libssh2.so.1
#4  0x00007fffec1df605 in channel_send_eof () from /lib64/libssh2.so.1
#5  0x00007fffec1e2555 in _libssh2_channel_close () from /lib64/libssh2.so.1
#6  0x00007fffec1e28e8 in _libssh2_channel_free () from /lib64/libssh2.so.1
#7  0x00007fffec1eed45 in libssh2_sftp_shutdown () from /lib64/libssh2.so.1
#8  0x00007fffe91cae23 in php_ssh2_sftp_dtor () from /opt/remi/php72/root/usr/lib64/php/modules/ssh2.so
#9  0x0000555555847ef1 in zend_resource_dtor ()
#10 0x0000555555847f43 in zend_close_rsrc ()
#11 0x00005555558453e8 in zend_hash_reverse_apply ()
#12 0x0000555555820862 in shutdown_executor ()
#13 0x000055555583225b in zend_deactivate ()
#14 0x00005555557cbd0d in php_request_shutdown ()
#15 0x00005555558e61a3 in do_cli ()
#16 0x000055555563dcdb in main ()

Packages installed:
-------------------
php72-php-common.x86_64               7.2.11-1.el7.remi              @remi-safe 
php72-php-fpm.x86_64                  7.2.11-1.el7.remi              @remi-safe 
php72-php-json.x86_64                 7.2.11-1.el7.remi              @remi-safe 
php72-php-pecl-ssh2.x86_64            1.1.2-2.el7.remi               @remi-safe 
php72-runtime.x86_64                  1.0-1.el7.remi                 @remi-safe

php73-php-cli.x86_64                  7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-common.x86_64               7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-fpm.x86_64                  7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-json.x86_64                 7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-pecl-ssh2.x86_64            1.1.2-4.el7.remi               @remi-safe 
php73-runtime.x86_64                  1.0-0.1.el7.remi               @remi-safe 

System packages seen on trace:
------------------------------
libssh2.x86_64                        1.4.3-10.el7_2.1               @anaconda
openssl-libs.x86_64                   1:1.0.2k-12.el7                @cr
 [2019-08-23 18:49 UTC] z-craig at submeter dot com
extension version 	1.1.2
libssh2 version 	1.5.0
banner 	SSH-2.0-libssh2_1.5.0 

cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

>php --version
PHP 7.3.7-2+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jul 25 2019 11:44:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.7-2+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Reproducible still
 [2020-08-21 18:28 UTC] jonathan dot m dot blackburn at gmail dot com
I experienced the same issue with php7.4 (remi), Centos 7.8 with its latest libssh.

The only thing that has rid me of the SEGFAULT is to call ssh2_disconnect on the __SFTP__ handle before calling it on the connection:

ssh2_disconnect($sftp); // $sftp was instanced with ssh2_sftp($connection)
ssh2_disconnect($connection);

I've managed to get rid of the symptom of the problem but still not certain as to the cause (unless the above is de rigeur moving forward).
 [2021-02-09 17:18 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-02-09 17:18 UTC] cmb@php.net
> ssh2_disconnect() causes segmentation if ssh2_sftp() has been
> initialized on the connection.

That is correct, and has already filed as another ticket[1].
However, that is totally unrelated to this ticket which is a
duplicate of bug #73924.

[1] <https://bugs.php.net/79631>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 05 21:01:30 2024 UTC