php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80625 Invalid free / memory corruption in zend_string_release
Submitted: 2021-01-14 18:02 UTC Modified: 2021-05-17 16:08 UTC
From: hanno at hboeck dot de Assigned:
Status: Open Package: Unknown/Other Function
PHP Version: 7.4.14 OS: Linux
Private report: No CVE-ID: None
 [2021-01-14 18:02 UTC] hanno at hboeck dot de
Description:
------------
I observed a crash of php with a local apache+mod_php installation while installing Moodle. Unfortunately the moodle installer is quite complex, so I cannot easily trim this down to a simple testcase.

In the apache error log I got this message:

zend_mm_heap corrupted

Given this indicated memory corruption I tried this with an asan build of php+apache, which gave me a stack trace which I'll attach. This indicated an invalid free call (attempting free on address which was not malloc'ed). There may be a connection to opcache, when disabling the opcache module the crash no longer occured.


Stack trace from asan:

==25422==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7fdcec97fdc8 in thread T62
    #0 0x7fdcfd545387 in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/10.2.0/libasan.so.6+0xae387)
    #1 0x7fdcf8a0a7e4 in zend_string_release /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_string.h:281
    #2 0x7fdcf8a0a7e4 in zend_symtable_clean /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_hash.c:1727
    #3 0x7fdcf8bba1a4 in zend_clean_and_cache_symbol_table /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_execute.c:3445
    #4 0x7fdcf8bba1a4 in zend_clean_and_cache_symbol_table /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_execute.c:3438
    #5 0x7fdcf8bbb01b in zend_leave_helper_SPEC /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_vm_execute.h:1165
    #6 0x7fdcf8bbe652 in execute_ex /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_vm_execute.h:53933
    #7 0x7fdcf8be99d6 in zend_execute /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend_vm_execute.h:57957
    #8 0x7fdcf89d2d58 in zend_execute_scripts /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/Zend/zend.c:1679
    #9 0x7fdcf88a5097 in php_execute_script /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/main/main.c:2621
    #10 0x7fdcf8befcd7 in php_handler /var/tmp/portage/dev-lang/php-7.4.14/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:700
    #11 0x557945a99484 in ap_run_handler /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/server/config.c:170
    #12 0x557945a9a104 in ap_invoke_handler /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/server/config.c:444
    #13 0x557945ad6e71 in ap_process_async_request /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/modules/http/http_request.c:452
    #14 0x557945acd3e4 in ap_process_http_async_connection /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/modules/http/http_core.c:158
    #15 0x557945acd3e4 in ap_process_http_connection /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/modules/http/http_core.c:252
    #16 0x557945ab3354 in ap_run_process_connection /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/server/connection.c:42
    #17 0x557945af2c40 in process_socket /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/server/mpm/event/event.c:1050
    #18 0x557945af4949 in worker_thread /var/tmp/portage/www-servers/apache-2.4.46-r4/work/httpd-2.4.46/server/mpm/event/event.c:2083
    #19 0x7fdcfd136e7d in start_thread /var/tmp/portage/sys-libs/glibc-2.32-r7/work/glibc-2.32/nptl/pthread_create.c:463
    #20 0x7fdcfd06592e in __clone (/lib64/libc.so.6+0xf892e)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-19 15:21 UTC] nikic@php.net
Is this with opcache enabled or disabled?

The crash happens while freeing the key of a symbol table. Haven't seen this backtrace before and don't have an immediate idea of what could cause this.
 [2021-01-19 15:36 UTC] hanno at hboeck dot de
With opcache. If I disable opcache it no longer occurs.
 [2021-02-15 14:01 UTC] nikic@php.net
I've fixed an issue related to the cache_and_clean_symbol_table functionality in https://github.com/php/php-src/commit/7b7d99839c2e2886ecf159952552c9964bd80481, which *might* be related to the issue you're seeing (but may also be a separate issue).
 [2021-05-12 06:19 UTC] krakjoe@php.net
-Status: Open +Status: Feedback
 [2021-05-12 06:19 UTC] krakjoe@php.net
Does the issue remain after the commit referenced above ?
 [2021-05-17 16:08 UTC] hanno at hboeck dot de
-Status: Feedback +Status: Open
 [2021-05-17 16:08 UTC] hanno at hboeck dot de
I retried with 7.4.19, which does contain your patch, and the issue still persists.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC