php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76594 Bus Error due to unaligned access in zend_ini.c OnUpdateLong
Submitted: 2018-07-08 03:18 UTC Modified: 2018-07-08 22:39 UTC
From: rainer dot jung at kippdata dot de Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3.0alpha3 OS: Solaris Sparc 32 Bit
Private report: No CVE-ID: None
 [2018-07-08 03:18 UTC] rainer dot jung at kippdata dot de
Description:
------------
I get a bus error for most of the PHP tests. An easy example is test004.sh.

The Solaris Sparc platform is sensitive to correct alignment for 32 bit and 64 bit types. They must be aligned on corresponding address boundaries, which is not true in the case of these crashes.

The crash happens for 32 Bit builds in Zend/zend_ini.c:671 (OnUpdateLong):

669     p = (zend_long *) (base+(size_t) mh_arg1);
670
671     *p = zend_atol(ZSTR_VAL(new_value), ZSTR_LEN(new_value));

Here the address p is:

        p = 0xfb1f63d5 <mbstring_globals+97>
        base = 0xfb1f6374 <mbstring_globals> ""

which is an odd address. Since on this platform zend_long has size 4 (bytes) this would need to be divisible by 4. The value for mh_arg1 comes from the next frame Zend/zend_ini.c:269 (zend_register_ini_entries):

268             if (p->on_modify) {
269                 p->on_modify(p, p->value, p->mh_arg1, p->mh_arg2, p->mh_arg3, ZEND_INI_STAGE_STARTUP);
270             }

There p is:

{name = 0x186760, on_modify = 0xfee87aa8 <OnUpdateLong>, mh_arg1 = 0x61, mh_arg2 = 0xfb276374 <mbstring_globals>, mh_arg3 = 0x0, value = 0x3de70, orig_value = 0x0,
  displayer = 0x384b8 <zend_ini_boolean_displayer_cb@plt>, module_number = 30, modifiable = 7 '\a', orig_modifiable = 0 '\000', modified = 0 '\000'}

and mh_arg1 is set in

241         p->mh_arg1 = ini_entry->mh_arg1;

This is ini_entry:

{name = 0xfb246a80 "mbstring.strict_detection", on_modify = 0xfee87aa8 <OnUpdateLong>, mh_arg1 = 0x61, mh_arg2 = 0xfb276374 <mbstring_globals>, mh_arg3 = 0x0,
  value = 0xfb246a38 "0", displayer = 0x384b8 <zend_ini_boolean_displayer_cb@plt>, value_length = 1, name_length = 25, modifiable = 7 '\a'}

The next frame is ext/mbstring/mbstring.c:1579 (zm_startup_mbstring):

1579            REGISTER_INI_ENTRIES();

The crash does not happen or Linux on x86_64 platforms with 64 bit builds. These platforms are less sensitive for misalignment.

Regards,

Rainer


Patches

mbstring.strict_detection (last revision 2018-07-08 13:34 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-08 12:30 UTC] cmb@php.net
Is this a regression in PHP 7.3, or does it happen with earlier
versions also?

Which compiler do you use?
 [2018-07-08 12:45 UTC] rainer dot jung at kippdata dot de
It does not happen for 7.2.7. I did not test any 7.3 alpha before.

Compiler is gcc 7.3.0.

Bus errors due to bad alignment are well-lknown on Solaris. I didn't find the code that sets mh_arg1 to 97 (decimal).
 [2018-07-08 13:08 UTC] cmb@php.net
Thanks!

> I didn't find the code that sets mh_arg1 to 97 (decimal).

That appears to be an issue with the mbstring module globals[1].
Apparently, these are not properly aligned.

[1] <https://github.com/php/php-src/blob/php-7.3.0alpha3/ext/mbstring/mbstring.h#L139-L174>
 [2018-07-08 13:13 UTC] nikic@php.net
The issue is that mbstring.strict_detection uses OnUpdateLong instead of OnUpdateBool in https://github.com/php/php-src/blob/php-7.3.0alpha3/ext/mbstring/mbstring.c#L1503. I don't think the option is new though.
 [2018-07-08 13:34 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: mbstring.strict_detection
Revision:   1531056846
URL:        https://bugs.php.net/patch-display.php?bug=76594&patch=mbstring.strict_detection&revision=1531056846
 [2018-07-08 13:34 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2018-07-08 13:34 UTC] cmb@php.net
Ah!  While mbstring.strict_detection is not new, it has been
declared as `long` in PHP 7.2.7[1].

Rainer, please try with the attached patch.

[1] <https://github.com/php/php-src/blob/php-7.2.7/ext/mbstring/mbstring.h#L190>
 [2018-07-08 22:30 UTC] rainer dot jung at kippdata dot de
Confirmed, the patch fixes it. Great job, thanks a lot!
 [2018-07-08 22:39 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2018-07-08 22:39 UTC] cmb@php.net
Thanks for the confirmation, and for filing the bug report in the
first place!
 [2018-07-08 22:54 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c01b1ab48ced6911993d958d06fefbbf39bca19
Log: Fix #76594: Bus Error due to unaligned access in zend_ini.c OnUpdateLong
 [2018-07-08 22:55 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 23:01:24 2018 UTC