#49484 [NEW]: max_execution_timeout interrupts the error_handler causing a segfault

Sun, 06 Sep 2009 06:21:52 -0700 

From:             witekfl at gazeta dot pl
Operating system: Debian Linux
PHP version:      5.2.10
PHP Bug Type:     Reproducible crash
Bug description:  max_execution_timeout interrupts the error_handler causing a 
segfault

Description:
------------
php-5.2.10 with the fpm patch aplied running as FastCGI with Apache and
mod_fcgid
Here is a fragment of the backtrace:
#0  0x00007f86f9acced5 in raise () from /lib/libc.so.6
#1  0x00007f86f9ace3f3 in abort () from /lib/libc.so.6
#2  0x00007f86f9b093a8 in ?? () from /lib/libc.so.6
#3  0x00007f86f9b0e948 in ?? () from /lib/libc.so.6
#4  0x00007f86f9b10a56 in free () from /lib/libc.so.6
#5  0x00000000006a5509 in php_error_cb (type=1,
    error_filename=0xe37778
"/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) :
eval()'d code",
    error_lineno=9, format=<value optimized out>, args=<value optimized
out>)
    at /home/witekfl/PHP/php-5.2.10/main/main.c:831
#6  0x00000000006e5f04 in zend_error (type=1, format=0x9c2418 "Maximum
execution time of %d second%s exceeded")
    at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#7  <signal handler called>
#8  0x00007f86f9b15d95 in strdup () from /lib/libc.so.6
#9  0x00000000006a551a in php_error_cb (type=2,
    error_filename=0xe37778
"/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) :
eval()'d code",
    error_lineno=9, format=<value optimized out>, args=<value optimized
out>)
    at /home/witekfl/PHP/php-5.2.10/main/main.c:834
#10 0x00000000006e5f04 in zend_error (type=2, format=0x9c4778 "%s%s%s():
supplied argument is not a valid %s resource")
    at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#11 0x00000000006f35ce in zend_fetch_resource (passed_id=<value optimized
out>, default_id=<value optimized out>,
    resource_type_name=0x9abbd0 "stream", found_resource_type=0x0,
num_resource_types=<value optimized out>)
    at /home/witekfl/PHP/php-5.2.10/Zend/zend_list.c:130


And here is the fragment of main.c:
        /* store the error if it has changed */
        if (display) {
                if (PG(last_error_message)) {
                        free(PG(last_error_message));
                }
                if (PG(last_error_file)) {
                        free(PG(last_error_file));
                }
                PG(last_error_type) = type;
                PG(last_error_message) = strdup(buffer);
                PG(last_error_file) = strdup(error_filename);
                PG(last_error_lineno) = error_lineno;
        }

After the free(), the php_error_cb is interrupted by the signal
(zend_timeout) and the given fragment is run with the new error_message,
but the PG(last_error_message) or PG(last_error_file) is already freed, but
still has old value, another free is causing crash.

max_execution_time = 2
allow_url_fopen = Off


Reproduce code:
---------------
ini_set("max_execution_time", 2);
for (;;) {
  file_get_contents("http://google.com/";);
}
/* I'm not sure if exactly this code crashes, but the code with undefined
variables and functions, trying to connect to the outside will do very
often. Connections to the outside are rejected by iptables. */


Expected result:
----------------
No segfaults.

Actual result:
--------------
Often segfaults.

-- 
Edit bug report at http://bugs.php.net/?id=49484&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=49484&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=49484&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=49484&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=49484&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=49484&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=49484&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=49484&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=49484&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=49484&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=49484&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=49484&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=49484&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=49484&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=49484&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=49484&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=49484&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=49484&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=49484&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=49484&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=49484&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=49484&r=mysqlcfg

Reply via email to