Bug #55704 [Fbk->Opn]: php_flag engine off crashes apache

j dot amend at gmail dot com Tue, 20 Sep 2011 10:20:34 -0700

Edit report at https://bugs.php.net/bug.php?id=55704&edit=1


 ID:                 55704
 User updated by:    j dot amend at gmail dot com
 Reported by:        j dot amend at gmail dot com
 Summary:            php_flag engine off crashes apache
-Status:             Feedback
+Status:             Open
 Type:               Bug
 Package:            Apache2 related
 Operating System:   Gentoo linux
 PHP Version:        5.4SVN-2011-09-19 (snap)
 Block user comment: N
 Private report:     N

 New Comment:

I tried what I could, but I don't know C or how to use gdb properly. It looks 
like var name makes it to _zend_hash_add_or_update intact as arKey, but then 
the address of arKey mysteriously changes inside that function.

Breakpoint 1, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 
"engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) 
at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:201
201             TSRMLS_FETCH();
(gdb) info args
ht = (HashTable *) 0x10087d120
arKey = 0x10088e298 "engine"
nKeyLength = 7
pData = (void *) 0x7fff5fbff330
nDataSize = 24
pDest = (void **) 0x0
flag = 1
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) print &arKey
Address requested for identifier "arKey" which is in register $r13
(gdb) info address arKey
Symbol "arKey" is 

   0x1012e9a70 - 0x1012e9a98: in register rsi
   0x1012e9a98 - 0x1012e9ace: in register r13
   0x1012e9ace - 0x1012e9b94: in register rcx
   0x1012e9b94 - 0x1012e9bc1: in register r13
   0x1012e9bc1 - 0x1012e9c7c: in register rcx
   0x1012e9c7c - 0x1012e9cd2: in register r13
   0x1012e9d7f - 0x1012e9d8a: in register r13
   0x1012e9d90 - 0x1012e9d9e: in register r13
   0x1012e9da4 - 0x1012e9dff: in register r13
   0x1012e9e2b - 0x1012e9f0f: in register r13
   0x1012e9f15 - 0x1012e9f45: in register r13
   0x1012e9fb5 - 0x1012e9fc6: in register r13
   0x1012e9fd9 - 0x1012e9ff1: in register r13
   0x1012ea00a - 0x1012ea02b: in register r13
   0x1012ea062 - 0x1012ea0b0: in register r13.

(gdb) next
(gdb) print arKey
$6 = 0x10088e298 "engine"
(gdb) p/x $rcx
$17 = 0x10088e298
[...]
(gdb) next    
278                     case 6: hash = ((hash << 5) + hash) + *arKey++; /* 
fallthrough... */
(gdb) p/x $rcx
$18 = 0x10088e299
[...]
(gdb) next
283                     case 1: hash = ((hash << 5) + hash) + *arKey++; break;
(gdb) p/x $rcx
$21 = 0x10088e29e
(gdb) print (char*)0x10088e29e
$22 = 0x10088e29e ""
(gdb) next
218             p = ht->arBuckets[nIndex];
(gdb) print arKey
$24 = 0x10088e29e ""
(gdb) p/x *arKey
$27 = 0x0
[...]
(gdb) next
Breakpoint 8, _zend_hash_add_or_update (ht=0x10087d120, arKey=0x10088e298 
"engine", nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, pDest=0x0, flag=1) 
at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:253
253                     p = (Bucket *) pemalloc(sizeof(Bucket) + nKeyLength, 
ht->persistent);
(gdb) p/x *arKey
$32 = 0x65
(gdb) p/x $rcx
$33 = 0x10088e29e
(gdb) next
258                     memcpy((char*)p->arKey, arKey, nKeyLength);
(gdb) p/x arKey
$41 = 0x10088e298
(gdb) print arKey
$42 = 0x10088e298 "engine"
[...]
(gdb) next
262             p->h = h;
(gdb) print arKey
$48 = 0x18 <Address 0x18 out of bounds>
(gdb) p/x arKey
$49 = 0x18
(gdb) print *p
$51 = {
  h = 0, 
  nKeyLength = 7, 
  pData = 0x100222bf0, 
  pDataPtr = 0x0, 
  pListNext = 0x200000000, 
  pListLast = 0x600000001, 
  pNext = 0x5000021000000010, 
  pLast = 0x0, 
  arKey = 0x100222be8 "engine"
}
[...]
(gdb) next

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000005448523c
0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d120, arKey=0x18 
<Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff330, nDataSize=24, 
pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
268             HANDLE_BLOCK_INTERRUPTIONS();


Previous Comments:
------------------------------------------------------------------------
[2011-09-20 14:32:07] [email protected]

this is so weird, since in the frame #0, the arkey is an invalid pointer, but 
it 
shoud be exactlly same as the name in #1, since I can not reproduce this in my 
environ,  could you do me a favor and try to find out the reason for how could 
this var be damaged?

you can try  to use gdb httpd, make a break point "b real_value_hnd", then exam 
it 
step by step, thanks

------------------------------------------------------------------------
[2011-09-20 13:43:29] j dot amend at gmail dot com

I just tried it with php5.4-201109192030 on my Mac (Apache/2.2.17, Mac OS X 
10.6.7) with the same result.

#0  0x00000001012e9e72 in _zend_hash_add_or_update (ht=0x10087d118, arKey=0x18 
<Address 0x18 out of bounds>, nKeyLength=7, pData=0x7fff5fbff350, nDataSize=24, 
pDest=0x0, flag=1) at /Users/Grayling/php5.4-201109192030/Zend/zend_hash.c:268
#1  0x000000010139a944 in real_value_hnd (cmd=0x7fff5fbff820, 
dummy=0x10087d118, name=0x100890f58 "engine", value=<value temporarily 
unavailable, due to optimizations>, status=2) at 
/Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:73
#2  0x000000010139a9dd in real_flag_hnd (cmd=0x7fff5fbff820, dummy=0x10087d118, 
arg1=0x100890f58 "engine", arg2=0x100890f60 "off", status=2) at 
/Users/Grayling/php5.4-201109192030/sapi/apache2handler/apache_config.c:98
#3  0x0000000100003595 in invoke_cmd ()
#4  0x00000001000047d8 in ap_walk_config_sub ()
#5  0x000000010000488b in ap_walk_config ()
#6  0x0000000100005ddd in ap_process_config_tree ()
#7  0x000000010000a26a in main ()

------------------------------------------------------------------------
[2011-09-16 08:30:13] [email protected]

Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this in my environ, plz test with the svn-snap plz, thanks

------------------------------------------------------------------------
[2011-09-15 20:48:23] j dot amend at gmail dot com

Description:
------------
Since PHP 5.4 alpha 2 (alpha 1 still worked), apache crashes with a 
segmentation fault if "php_flag engine off" is anywhere in my apache 
configuration files.

Test script:
---------------
httpd.conf:
...
php_flag engine off
...

Expected result:
----------------
PHP is disabled in whatever context "php_flag engine off" is used.

Actual result:
--------------
Apache crashes with a segmentation fault, even for a configtest (apache2 -t).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff04ddff9 in _zend_hash_add_or_update () from 
/usr/lib64/apache2/modules/libphp5.so


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55704&edit=1

Bug #55704 [Fbk->Opn]: php_flag engine off crashes apache

Reply via email to