php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9801 mcrypt_encrypt dumps core
Submitted: 2001-03-16 20:58 UTC Modified: 2001-05-17 17:31 UTC
From: michael at carceri dot dk Assigned: derick (profile)
Status: Closed Package: mcrypt related
PHP Version: 4.0 Latest CVS (16/03/2001) OS: Linux 2.4.1
Private report: No CVE-ID: None
 [2001-03-16 20:58 UTC] michael at carceri dot dk
When I run .php files under Apache (1.3.19) PHP sometimes crash. I can run the same file several times, and only sometimes is crashes.

This is what is recorded in the apache log (a lot of them):

[Fri Mar  9 19:24:51 2001] [notice] child pid 22845 exit signal Segmentation fault (11)

The following code can reproduce the crash:

$input = "Teststring";
$key = "gQ8V(|!kQ?lmJ8*~/HajI~lNM.-HzJqy";
$iv = "w81kaMfJq(1lcJaQ+m BsjedLq!?230?";
$output = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $input, MCRYPT_MODE_CBC, $iv);

The configure line is: --enable-track-vars --with-mysql=/usr/local/mysql --with-mhash --with-mcrypt
--with-apxs=/usr/local/apache/bin/apxs

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-10 12:59 UTC] cmv@php.net
This happens for me too with today's CVS and the latest CVS of mcrypt.

Backtrace says:

#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152    malloc.c: No such file or directory.
(gdb) bt
#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1  0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2  0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3  0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118, data=0x81f211c, 
    mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at mcrypt.c:1317
#4  0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0, return_value_used=1)
    at mcrypt.c:1334
#5  0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6  0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7  0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8  0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9  0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04, init=0x8064b8c <_init>, 
    fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
    at ../sysdeps/generic/libc-start.c:129

Assigning it to the expert ... :)
 [2001-04-10 13:01 UTC] cmv@php.net
Actually, the script only seems to dump core if I do:

    echo bin2hex($output);

after the encryption.  Just a simple:

    echo $output;

seems to work just fine (i.e. it outputs stuff).

- Colin
 [2001-04-10 13:58 UTC] derick@php.net
Crashes for me too, possibly a bug in mcrypt it self. Trying more things...
 [2001-05-17 16:16 UTC] michael at carceri dot dk
I think I've found the problem (and the solution).

Let's look at some functions found in mcrypt first...

File: mcrypt_modules.c

int mcrypt_module_close(MCRYPT td)
{

	lt_dlclose(td->algorithm_handle);
	lt_dlclose(td->mode_handle);
	lt_dlexit();

	td->algorithm_handle = NULL;
	td->mode_handle = NULL;

	td->m_encrypt = NULL;
	td->a_encrypt = NULL;
	td->a_decrypt = NULL;
	td->m_decrypt = NULL;

	free(td);
	
	return 0;
}

File: mcrypt.c

int mcrypt_generic_end(const MCRYPT td)
{
	internal_end_mcrypt(td);
	mcrypt_module_close(td);
	return 0;
}

The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)

Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td) in the end.

Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a function called

php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int argc, int dencrypt, zval* return_value)

At the end of the function, we find the following:

/* freeing vars */
	mcrypt_generic_end (td);
	if (key_s != NULL)
		efree (key_s);
	if (iv_s != NULL)
		efree (iv_s);
	efree (data_s);
        mcrypt_module_close (td);
}

The crash occurs when the final mcrypt_module_close is called.

The reason is that the call to mcrypt_generic_end (td) also calls mcrypt_module_close(td) that again calls free (td). When we later call mcrypt_module_close (td) we try to free td again, and that sometimes gives us a segmentation fault.

The solution is simply to delete the last line in the php_mcrypt_do_crypt function (mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed td in the call to mcrypt_generic_end (td) a few lines above.

That solved the problems for me. Finally no more crashes :)
 [2001-05-17 16:37 UTC] derick@php.net
Hello,

looks all ok. I'll check it out, and apply the patch (if ok) so that it will be fixed in PHP 4.0.6

Derick
 [2001-05-17 17:31 UTC] derick@php.net
Ok, this was indeed the problem. Thanks for this excellent help!

Derick
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 06:01:29 2024 UTC