php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76796 Compile-time evaluation of disabled function in opcache (SCCP) causes segfault
Submitted: 2018-08-26 16:49 UTC Modified: 2018-09-08 00:42 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:8 (100.0%)
Same OS:6 (75.0%)
From: aguero dot manuel at yahoo dot com Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.2.9 OS: ANY
Private report: No CVE-ID: None
 [2018-08-26 16:49 UTC] aguero dot manuel at yahoo dot com
Description:
------------
SERVER: UBUNTU 16.04
LEMP STACK. WORDPRESS 4.9.8

php -v
PHP 7.2.9-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Aug 19 2018 07:16:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.9-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Disabled functions:
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,php_uname



BUG:
Opcache is causing a segfault when php_uname has a parameter, You'll need to disable php_uname to reproduce this issue. This is only an issue on PHP 7.2 with OPCACHE enabled, If you disable OPCACHE then no segfault occurs.I've seen it since 7.2.2 --> 7.2.9

PHP 5.6 & 7.1 don't have this issue. 


If no parameter is set then it doesn't segfault.
Example: php_uname()

Examples of When it segfaults:
This segfaults even though the parameter 's' is a valid parameter of Mode
EX: php_uname( 's' )

If you remove the quotes from the parameter it doesn't segfault. 
EX: php_uname(s)


If you need more information please let me know,

Test script:
---------------
Many WP plugins use php_uname with a valid parameter so it's not a plugin issue. Here are some examples to reproduce.

Install/activate The Better Search and Replace Plugin and it will segfault right away.
https://wordpress.org/plugins/better-search-replace/

CODE:
https://github.com/deliciousbrains/better-search-replace/blob/8eaab18a9a9c21b23a4431d9a3eaf567d19fcc6c/includes/class-bsr-compatibility.php#L46


Install/activate: The plugin Redirection 
https://wordpress.org/plugins/redirection/

Once it's activated, go to WP-ADMIN --> tools --> redirection. Then you'll see it segfault. 

Code: 
https://github.com/johngodley/redirection/blob/90a74a50b5d5e238e3883d79ae5e09f9aadcd74c/models/fixer.php#L105





Expected result:
----------------
No segfault should occur. If php_uname is disabled, it should just output a warning to the logs without segfaulting just like PHP 5.6 & 7.1. 

Actual result:
--------------
PHP-FPM log:
[26-Aug-2018 15:18:07] NOTICE: [pool www] child 18694 started
[26-Aug-2018 15:21:32] NOTICE: Terminating ...
[26-Aug-2018 15:21:32] NOTICE: exiting, bye-bye!
[26-Aug-2018 15:21:32] NOTICE: fpm is running, pid 18726
[26-Aug-2018 15:21:32] NOTICE: ready to handle connections
[26-Aug-2018 15:21:32] NOTICE: systemd monitor interval set to 10000ms
[26-Aug-2018 15:21:42] WARNING: [pool www] child 18731 exited on signal 11 (SIGSEGV - core dumped) after 10.753898 seconds from start
[26-Aug-2018 15:21:42] NOTICE: [pool www] child 18734 started
[26-Aug-2018 16:01:11] WARNING: [pool www] child 18730 exited on signal 11 (SIGSEGV - core dumped) after 2379.605258 seconds from start
[26-Aug-2018 16:01:11] NOTICE: [pool www] child 18881 started
[26-Aug-2018 16:40:29] WARNING: [pool www] child 18881 exited on signal 11 (SIGSEGV - core dumped) after 2357.848971 seconds from start
[26-Aug-2018 16:40:29] NOTICE: [pool www] child 19058 started


STRACE:
[pid 18881] 16:40:28.988115 stat("/var/www/html/wp-content/plugins/better-search-replace/includes/class-bsr-compatibility.php", {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000036>
[pid 18881] 16:40:28.988205 stat("/var/www/html/wp-content/plugins/better-search-replace/includes/class-bsr-compatibility.php", {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000031>
[pid 18881] 16:40:28.988289 fcntl(4, F_SETLKW, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0 <0.000030>
[pid 18881] 16:40:28.988366 fcntl(4, F_SETLK, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=0, l_len=1}) = 0 <0.000030>
[pid 18881] 16:40:28.988449 open("/var/www/html/wp-content/plugins/better-search-replace/includes/class-bsr-compatibility.php", O_RDONLY) = 7 <0.000033>
[pid 18881] 16:40:28.988534 fstat(7, {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000029>
[pid 18881] 16:40:28.988613 fstat(7, {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000029>
[pid 18881] 16:40:28.988691 fstat(7, {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000008>
[pid 18881] 16:40:28.988726 fstat(7, {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000008>
[pid 18881] 16:40:28.988759 mmap(NULL, 3806, PROT_READ, MAP_SHARED, 7, 0) = 0x7fa3cce4f000 <0.000010>
[pid 18881] 16:40:28.988793 stat("/var/www/html/wp-content/plugins/better-search-replace/includes/class-bsr-compatibility.php", {st_mode=S_IFREG|0664, st_size=3806, ...}) = 0 <0.000009>
[pid 18881] 16:40:28.989151 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
[pid 18881] 16:40:29.617230 +++ killed by SIGSEGV (core dumped) +++




CORE DUMP.

Core was generated by `php-fpm: pool www                                                            '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055bc6b74dea5 in _zval_get_string_func ()
(gdb) bt
#0  0x000055bc6b74dea5 in _zval_get_string_func ()
#1  0x000055bc6b756a0f in zend_make_printable_zval ()
#2  0x000055bc6b74c43d in concat_function ()
#3  0x00007fa3c74158d7 in ?? () from /usr/lib/php/20170718/opcache.so
#4  0x00007fa3c743f013 in ?? () from /usr/lib/php/20170718/opcache.so
#5  0x00007fa3c744243c in ?? () from /usr/lib/php/20170718/opcache.so
#6  0x00007fa3c74410dd in ?? () from /usr/lib/php/20170718/opcache.so
#7  0x00007fa3c742528b in ?? () from /usr/lib/php/20170718/opcache.so
#8  0x00007fa3c74176d0 in ?? () from /usr/lib/php/20170718/opcache.so
#9  0x00007fa3c74061f6 in ?? () from /usr/lib/php/20170718/opcache.so
#10 0x000055bc6b7bc391 in ?? ()
#11 0x000055bc6b7fca23 in ?? ()
#12 0x000055bc6b801a0c in execute_ex ()
#13 0x000055bc6b80929e in zend_execute ()
#14 0x000055bc6b7579a3 in zend_execute_scripts ()
#15 0x000055bc6b6f2bf0 in php_execute_script ()
#16 0x000055bc6b5a9e69 in ?? ()
#17 0x00007fa3ca9bc830 in __libc_start_main (main=0x55bc6b5a90b0, argc=4, argv=0x7ffdc743b508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7ffdc743b4f8) at ../csu/libc-start.c:291
#18 0x000055bc6b5aac99 in _start ()





Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-26 22:48 UTC] aguero dot manuel at yahoo dot com
-Operating System: Ubuntu 16.04 +Operating System: ANY
 [2018-08-26 22:48 UTC] aguero dot manuel at yahoo dot com
It looks like this bug has been reintroduced in PHP 7.2
https://bugs.php.net/bug.php?id=68104

It sounds very similar to what I'm experiencing in PHP 7.2 with Opcache enabled and a disabled function.
 [2018-09-08 00:42 UTC] nikic@php.net
-Summary: Opcache causes a Segfault when php_uname has a parameter.(DISABLED FUNCTION) +Summary: Compile-time evaluation of disabled function in opcache (SCCP) causes segfault -Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Oct 18 22:01:26 2018 UTC