php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76643 Segmentation fault when using `output_add_rewrite_var`
Submitted: 2018-07-19 05:52 UTC Modified: 2018-07-24 07:52 UTC
From: nicolas dot dermine at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Output Control
PHP Version: 7.2.7 OS: linux
Private report: No CVE-ID: None
 [2018-07-19 05:52 UTC] nicolas dot dermine at gmail dot com
Description:
------------
When using `output_add_rewrite_var` our PHP page served by Apache is not displayed and we have this error in the logs:

[Tue Jul 10 08:03:08.884730 2018] [core:notice] [pid 1] AH00052: child pid 220 exit signal Segmentation fault (11)

Thea app is running in a docker container based on the docker 7.2.7-apache image.

I tried storing the HTML output to a file and then running a script that just calls `output_add_rewrite_var` and includes the HTML but could not reproduce the error that way.

I will try to narrow it down to a reproducible script but our app is pretty complex so I am not sure I will succeed.

If I comment the call to `output_add_rewrite_var` the page is displayed correctly.

I'll paste a gdb session in the 'Actual result' section, hoping this can help you see where the problem is.

(to get this gdb session working I rebuilt the docker container to configure PHP with --enable-debug and not strip the symbols.
In that case I do not get a segmentation fault any more, but it complains that something is inconsistent)

Actual result:
--------------
root@414dbe04e97b:/var/www/html/allegro# gdb php
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...done.
(gdb) break zend_output_debug_string
Breakpoint 1 at 0x798253: file /usr/src/php/Zend/zend.c, line 1425.
(gdb) run Public/System/Log/listErreur.php User_Login=ndermine
Starting program: /usr/local/bin/php Public/System/Log/listErreur.php User_Login=ndermine
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, zend_output_debug_string (trigger_break=1 '\001', format=0x555556536c98 "%s(%d) : ht=%p is inconsistent") at /usr/src/php/Zend/zend.c:1425
1425    /usr/src/php/Zend/zend.c: No such file or directory.
(gdb) bt
#0  zend_output_debug_string (trigger_break=1 '\001', format=0x555556536c98 "%s(%d) : ht=%p is inconsistent") at /usr/src/php/Zend/zend.c:1425
#1  0x0000555555cfe8c9 in _zend_is_inconsistent (ht=0x7fffee206508, file=0x555556536cb7 "/usr/src/php/Zend/zend_hash.c", line=1966) at /usr/src/php/Zend/zend_hash.c:61
#2  0x0000555555d04c2a in zend_hash_str_find (ht=0x7fffee206508, str=0x5555565038b7 "HTTP_HOST", len=9) at /usr/src/php/Zend/zend_hash.c:1966
#3  0x0000555555b9deaa in check_http_host (target=0x7fffe9083f90 "192.168.99.100") at /usr/src/php/ext/standard/url_scanner_ex.c:352
#4  0x0000555555b9e0f7 in check_host_whitelist (ctx=0x55555691e740 <basic_globals+3776>) at /usr/src/php/ext/standard/url_scanner_ex.c:401
#5  0x0000555555b9e1d8 in handle_form (ctx=0x55555691e740 <basic_globals+3776>,
    start=0x7fffe8c9522b ">\n", ' ' <repeats 28 times>, "<input type=\"hidden\" name=\"date_from\" id=\"date_from\" value=\"04-07-2018\" />\n", ' ' <repeats 28 times>, "<input type=\"hidden\" name=\"date_to\" id=\"date_to\" value=\"19-07-2018\""...,
    xp=0x7fffe8c9522c "\n", ' ' <repeats 28 times>, "<input type=\"hidden\" name=\"date_from\" id=\"date_from\" value=\"04-07-2018\" />\n", ' ' <repeats 28 times>, "<input type=\"hidden\" name=\"date_to\" id=\"date_to\" value=\"19-07-2018\" "...) at /usr/src/php/ext/standard/url_scanner_ex.c:426
#6  0x0000555555b9e882 in xx_mainloop (ctx=0x55555691e740 <basic_globals+3776>,
    newdata=0x7fffe8b88000 "    <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"\n     \"http://www.w3.org/TR/html4/loose.dtd\">\n    <html lang=\"fr\">\n    <head>\n        \n\n        <title>Tracer les erreurs</title>\n\n\t<m"..., newlen=74922) at /usr/src/php/ext/standard/url_scanner_ex.c:708
#7  0x0000555555b9ef84 in url_adapt_ext (
    src=0x7fffe8b88000 "    <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"\n     \"http://www.w3.org/TR/html4/loose.dtd\">\n    <html lang=\"fr\">\n    <head>\n        \n\n        <title>Tracer les erreurs</title>\n\n\t<m"..., srclen=74922, newlen=0x7fffffffc690, do_flush=1 '\001', ctx=0x55555691e740 <basic_globals+3776>) at /usr/src/php/ext/standard/url_scanner_ex.c:998
#8  0x0000555555b9f21e in php_url_scanner_session_handler_impl (
    output=0x7fffe8b88000 "    <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"\n     \"http://www.w3.org/TR/html4/loose.dtd\">\n    <html lang=\"fr\">\n    <head>\n        \n\n        <title>Tracer les erreurs</title>\n\n\t<m"..., output_len=74922, handled_output=0x7fffffffc710, handled_output_len=0x7fffffffc718, mode=9, type=0) at /usr/src/php/ext/standard/url_scanner_ex.c:1065
#9  0x0000555555b9f434 in php_url_scanner_output_handler (
    output=0x7fffe8b88000 "    <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"\n     \"http://www.w3.org/TR/html4/loose.dtd\">\n    <html lang=\"fr\">\n    <head>\n        \n\n        <title>Tracer les erreurs</title>\n\n\t<m"..., output_len=74922, handled_output=0x7fffffffc710, handled_output_len=0x7fffffffc718, mode=9) at /usr/src/php/ext/standard/url_scanner_ex.c:1097
#10 0x0000555555c6b690 in php_output_handler_compat_func (handler_context=0x7fffe9309038, output_context=0x7fffffffc7e0) at /usr/src/php/main/output.c:1256
#11 0x0000555555c6adad in php_output_handler_op (handler=0x7fffe9309000, context=0x7fffffffc7e0) at /usr/src/php/main/output.c:984
#12 0x0000555555c6b57c in php_output_stack_pop (flags=1) at /usr/src/php/main/output.c:1221
#13 0x0000555555c6950e in php_output_end_all () at /usr/src/php/main/output.c:341
#14 0x0000555555c4ece3 in php_request_shutdown (dummy=0x0) at /usr/src/php/main/main.c:1867
#15 0x0000555555ddffb0 in do_cli (argc=3, argv=0x5555569555e0) at /usr/src/php/sapi/cli/php_cli.c:1178
#16 0x0000555555de081e in main (argc=3, argv=0x5555569555e0) at /usr/src/php/sapi/cli/php_cli.c:1404
(gdb) continue
Continuing.
/usr/src/php/Zend/zend_hash.c(1966) : ht=0x7fffee206508 is inconsistent
[Inferior 1 (process 31) exited normally]


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-19 16:04 UTC] nicolas dot dermine at gmail dot com
When using `bt full` in gdb it seems that it was looking for the `HTTP_HOST` key in the hash table that was then considered inconsistent.

I did not have `url_rewriter.hosts` in my php.ini.

If I add it the problem goes away.
 [2018-07-21 12:47 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2018-07-21 12:47 UTC] cmb@php.net
Simple reproducer:

    <?php
    $_SERVER = 'foo';
    output_add_rewrite_var('bar', 'baz');
    ?>
    <form action="http://example.com/"></form>

Outputs in debug builds:
    php-src/Zend/zend_hash.c(2107) : ht=0x7f72ab202500 is being destroyed
and segfaults on production builds.

This is caused because we're currently assuming that _SERVER is an
array[1]; adding a type check appears to solve the issue.

Please try this patch:
<https://gist.github.com/cmb69/26076c5bac9a1429a03be3eaca65fe0c>.

[1] <https://github.com/php/php-src/blob/php-7.2.7/ext/standard/url_scanner_ex.re#L358>
 [2018-07-24 02:42 UTC] laruence@php.net
seems fine, please commit it
 [2018-07-24 07:52 UTC] nicolas dot dermine at gmail dot com
the patch seems to fix the problem in our app
 [2018-07-24 10:42 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=40bd84d3e3d3fefdc16c10319e35fcfea359054a
Log: Fix #76643: Segmentation fault when using `output_add_rewrite_var`
 [2018-07-24 10:42 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sat Dec 15 05:01:25 2018 UTC