php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76415 Stream Open (fopen) on ssh2_sftp connection segfaults
Submitted: 2018-06-05 11:22 UTC Modified: 2021-02-09 17:18 UTC
Votes:7
Avg. Score:3.7 ± 0.9
Reproduced:7 of 7 (100.0%)
Same Version:1 (14.3%)
Same OS:2 (28.6%)
From: oli dot sennhauser at fromdual dot com Assigned: cmb (profile)
Status: Duplicate Package: ssh2 (PECL)
PHP Version: 7.2.6 OS: Linux Ubuntu 16.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
46 + 40 = ?
Subscribe to this entry?

 
 [2018-06-05 11:22 UTC] oli dot sennhauser at fromdual dot com
Description:
------------
apt-cache show php-ssh2
Version: 1.1.2+0.13-1+ubuntu16.04.1+deb.sury.org+1

php --version
PHP 7.2.5-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: May  5 2018 04:59:13) ( NTS )

uname -a
Linux chef 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"

variables_order = "EGPCS"

Can be reproduced at will. Please let me know what you need for additional information...

Test script:
---------------
<?php

// touch /tmp/test

$aArchiveDestination = array('host' => '127.0.0.1', 'port' => 22, 'user' => 'mybackup', 'path' => '/home/mybackup', 'scheme' => 'sftp');
$aOptions = array('policy' => 'daily');
$file = '/tmp/test';

/*
php -f coredump.php 
  Archiving /tmp/test to sftp://mybackup@127.0.0.1:/home/mybackup/daily/testbefore fopen
before fwrite
Segmentation fault (core dumped)
*/

			$lSshConnection = ssh2_connect($aArchiveDestination['host'], $aArchiveDestination['port']);

			$aUserInfo = posix_getpwuid(posix_getuid());

			$lPubKeyFile  = $aUserInfo['dir'] . '/.ssh/id_rsa.pub';
			$lPrivKeyFile = $aUserInfo['dir'] . '/.ssh/id_rsa';
			$lPassPhrase  = '';
			if ( ! ssh2_auth_pubkey_file($lSshConnection, $aArchiveDestination['user'], $lPubKeyFile, $lPrivKeyFile, $lPassPhrase) ) {
				$rc = 9999;
				$msg = '  ERROR: Public Key Authentication on host ' . $aArchiveDestination['host'] . ' failed.' . " (rc=$rc)";
				throw new Exception($msg);
			}

			$dst = $aArchiveDestination['path'] . '/' . $aOptions['policy'] . '/' . basename($file);
			printf("  Archiving $file to " . $aArchiveDestination['scheme'] . '://' . $aArchiveDestination['user'] . '@' . $aArchiveDestination['host'] . ':' . $dst);

			$sftp = ssh2_sftp($lSshConnection);
			// @fopen
			echo "before fopen\n";
			// Here we have the segementation!!!!
			// See also comment here: http://www.php.net/manual/en/function.ssh2-scp-send.php
			// https://stackoverflow.com/questions/7414175/php-sftp-seg-fault
			
			$stream = fopen('ssh2.sftp://' . intval($sftp) . $dst, 'w');
			if ( ! $stream ) {
				$rc = 9999;
				$msg = "  ERROR: Could not open file: $dst" . " (rc=$rc)";
				throw new Exception($msg);
			}

			if ( ! array_key_exists('simulate', $aOptions) ) {

				$lDataToSend = @file_get_contents($file);
				if ( $lDataToSend === false ) {
					$rc = 9999;
					$msg = "  ERROR: Could not open local file: $file." . " (rc=$rc)";
					throw new Exception($msg);
				}
				echo "before fwrite\n";
				if ( @fwrite($stream, $lDataToSend) === false ) {
					$rc = 9999;
					$msg = "  ERROR: Could not send data from file: $file." . " (rc=$rc)";
					throw new Exception($msg);
				}
				@fclose($stream);

			}
			ssh2_disconnect($lSshConnection);


?>

Expected result:
----------------
No:

php -f coredump.php 
  Archiving /tmp/test to sftp://mybackup@127.0.0.1:/home/mybackup/daily/testbefore fopen
before fwrite
Segmentation fault (core dumped)


Actual result:
--------------
warning: core file may not match specified executable file.
[New LWP 31163]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php -f coredump.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fdac86e0900 in ?? () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
(gdb) bt
#0  0x00007fdac86e0900 in ?? () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
#1  0x00007fdac86eccd5 in libssh2_sftp_shutdown () from /usr/lib/x86_64-linux-gnu/libssh2.so.1
#2  0x00007fdac890e973 in php_ssh2_sftp_dtor () from /usr/lib/php/20170718/ssh2.so
#3  0x000055e161e283d1 in ?? ()
#4  0x000055e161e28423 in ?? ()
#5  0x000055e161e258d0 in zend_hash_reverse_apply ()
#6  0x000055e161e00e30 in ?? ()
#7  0x000055e161e1285b in zend_deactivate ()
#8  0x000055e161dac8da in php_request_shutdown ()
#9  0x000055e161ec5a7c in ?? ()
#10 0x000055e161c62e2c in ?? ()
#11 0x00007fdacef0b830 in __libc_start_main (main=0x55e161c629b0, argc=3, argv=0x7fffbb6d56c8, init=<optimised out>, fini=<optimised out>, 
    rtld_fini=<optimised out>, stack_end=0x7fffbb6d56b8) at ../csu/libc-start.c:291
#12 0x000055e161c62f49 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-31 10:00 UTC] phpnetbug at netcode dot fi
Description:
------------
ssh2_disconnect() causes segmentation if ssh2_sftp() has been initialized on the connection.
Without ssh2_disconnect() sftp-subsystem works fine.

OS: CentOS Linux release 7.5.1804 (Core) with continuous release (CR) enabled.
Linux isopannu 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

PHP-versions affected from Remi's repository:
PHP 7.2.11 (cli) (built: Oct 10 2018 08:49:35) ( NTS )
PHP 7.3.0RC4 (cli) (built: Oct 23 2018 09:32:19) ( NTS )

Test script:
------------
<?php
$conn = ssh2_connect(<host>,22);
ssh2_auth_password($conn, "<valid-user>", "<valid-password>");
$sftp = ssh2_sftp($conn);
ssh2_disconnect($conn);

Running cli:
------------
php72 ssh.php 
Segmentation fault

gdb backtrace:
--------------
gdb -ex=r -ex=bt --batch --args /usr/bin/php72 /srv/ssh/ssh.php

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5030f6c in EVP_MD_CTX_cleanup () from /lib64/libcrypto.so.10
#0  0x00007ffff5030f6c in EVP_MD_CTX_cleanup () from /lib64/libcrypto.so.10
#1  0x00007ffff4f9c13d in HMAC_CTX_cleanup () from /lib64/libcrypto.so.10
#2  0x00007fffec1e7134 in mac_method_hmac_sha1_hash () from /lib64/libssh2.so.1
#3  0x00007fffec1f5c39 in _libssh2_transport_send () from /lib64/libssh2.so.1
#4  0x00007fffec1df605 in channel_send_eof () from /lib64/libssh2.so.1
#5  0x00007fffec1e2555 in _libssh2_channel_close () from /lib64/libssh2.so.1
#6  0x00007fffec1e28e8 in _libssh2_channel_free () from /lib64/libssh2.so.1
#7  0x00007fffec1eed45 in libssh2_sftp_shutdown () from /lib64/libssh2.so.1
#8  0x00007fffe91cae23 in php_ssh2_sftp_dtor () from /opt/remi/php72/root/usr/lib64/php/modules/ssh2.so
#9  0x0000555555847ef1 in zend_resource_dtor ()
#10 0x0000555555847f43 in zend_close_rsrc ()
#11 0x00005555558453e8 in zend_hash_reverse_apply ()
#12 0x0000555555820862 in shutdown_executor ()
#13 0x000055555583225b in zend_deactivate ()
#14 0x00005555557cbd0d in php_request_shutdown ()
#15 0x00005555558e61a3 in do_cli ()
#16 0x000055555563dcdb in main ()

Packages installed:
-------------------
php72-php-common.x86_64               7.2.11-1.el7.remi              @remi-safe 
php72-php-fpm.x86_64                  7.2.11-1.el7.remi              @remi-safe 
php72-php-json.x86_64                 7.2.11-1.el7.remi              @remi-safe 
php72-php-pecl-ssh2.x86_64            1.1.2-2.el7.remi               @remi-safe 
php72-runtime.x86_64                  1.0-1.el7.remi                 @remi-safe

php73-php-cli.x86_64                  7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-common.x86_64               7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-fpm.x86_64                  7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-json.x86_64                 7.3.0~rc4-1.el7.remi           @remi-safe 
php73-php-pecl-ssh2.x86_64            1.1.2-4.el7.remi               @remi-safe 
php73-runtime.x86_64                  1.0-0.1.el7.remi               @remi-safe 

System packages seen on trace:
------------------------------
libssh2.x86_64                        1.4.3-10.el7_2.1               @anaconda
openssl-libs.x86_64                   1:1.0.2k-12.el7                @cr
 [2019-08-23 18:49 UTC] z-craig at submeter dot com
extension version 	1.1.2
libssh2 version 	1.5.0
banner 	SSH-2.0-libssh2_1.5.0 

cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

>php --version
PHP 7.3.7-2+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jul 25 2019 11:44:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.7-2+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Reproducible still
 [2020-08-21 18:28 UTC] jonathan dot m dot blackburn at gmail dot com
I experienced the same issue with php7.4 (remi), Centos 7.8 with its latest libssh.

The only thing that has rid me of the SEGFAULT is to call ssh2_disconnect on the __SFTP__ handle before calling it on the connection:

ssh2_disconnect($sftp); // $sftp was instanced with ssh2_sftp($connection)
ssh2_disconnect($connection);

I've managed to get rid of the symptom of the problem but still not certain as to the cause (unless the above is de rigeur moving forward).
 [2021-02-09 17:18 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-02-09 17:18 UTC] cmb@php.net
> ssh2_disconnect() causes segmentation if ssh2_sftp() has been
> initialized on the connection.

That is correct, and has already filed as another ticket[1].
However, that is totally unrelated to this ticket which is a
duplicate of bug #73924.

[1] <https://bugs.php.net/79631>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 02:01:28 2024 UTC