ID: 9801
User Update by: [EMAIL PROTECTED]
Status: Analyzed
Bug Type: mcrypt related
Operating system: Linux 2.4.1
PHP Version: 4.0 Latest CVS (16/03/2001)
Description: mcrypt_encrypt dumps core
I think I've found the problem (and the solution).
Let's look at some functions found in mcrypt first...
File: mcrypt_modules.c
int mcrypt_module_close(MCRYPT td)
{
lt_dlclose(td->algorithm_handle);
lt_dlclose(td->mode_handle);
lt_dlexit();
td->algorithm_handle = NULL;
td->mode_handle = NULL;
td->m_encrypt = NULL;
td->a_encrypt = NULL;
td->a_decrypt = NULL;
td->m_decrypt = NULL;
free(td);
return 0;
}
File: mcrypt.c
int mcrypt_generic_end(const MCRYPT td)
{
internal_end_mcrypt(td);
mcrypt_module_close(td);
return 0;
}
The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)
Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td)
in the end.
Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a
function called
php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int
argc, int dencrypt, zval* return_value)
At the end of the function, we find the following:
/* freeing vars */
mcrypt_generic_end (td);
if (key_s != NULL)
efree (key_s);
if (iv_s != NULL)
efree (iv_s);
efree (data_s);
mcrypt_module_close (td);
}
The crash occurs when the final mcrypt_module_close is called.
The reason is that the call to mcrypt_generic_end (td) also calls
mcrypt_module_close(td) that again calls free (td). When we later call
mcrypt_module_close (td) we try to free td again, and that sometimes gives us a
segmentation fault.
The solution is simply to delete the last line in the php_mcrypt_do_crypt function
(mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed
td in the call to mcrypt_generic_end (td) a few lines above.
That solved the problems for me. Finally no more crashes :)
Previous Comments:
---------------------------------------------------------------------------
[2001-04-10 13:58:16] [EMAIL PROTECTED]
Crashes for me too, possibly a bug in mcrypt it self. Trying more things...
---------------------------------------------------------------------------
[2001-04-10 13:01:24] [EMAIL PROTECTED]
Actually, the script only seems to dump core if I do:
echo bin2hex($output);
after the encryption. Just a simple:
echo $output;
seems to work just fine (i.e. it outputs stuff).
- Colin
---------------------------------------------------------------------------
[2001-04-10 12:59:24] [EMAIL PROTECTED]
This happens for me too with today's CVS and the latest CVS of mcrypt.
Backtrace says:
#0 0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152 malloc.c: No such file or directory.
(gdb) bt
#0 0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1 0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2 0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3 0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118,
data=0x81f211c,
mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at
mcrypt.c:1317
#4 0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0,
return_value_used=1)
at mcrypt.c:1334
#5 0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6 0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7 0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8 0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9 0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04,
init=0x8064b8c <_init>,
fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
at ../sysdeps/generic/libc-start.c:129
Assigning it to the expert ... :)
---------------------------------------------------------------------------
[2001-03-16 20:58:56] [EMAIL PROTECTED]
When I run .php files under Apache (1.3.19) PHP sometimes crash. I can run the same
file several times, and only sometimes is crashes.
This is what is recorded in the apache log (a lot of them):
[Fri Mar 9 19:24:51 2001] [notice] child pid 22845 exit signal Segmentation fault
(11)
The following code can reproduce the crash:
$input = "Teststring";
$key = "gQ8V(|!kQ§lmJ8*~/HajI~lNM.-HzJqy";
$iv = "w81kaMfJq(1lcJaQ+m BsjedLq!§230?";
$output = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $input, MCRYPT_MODE_CBC, $iv);
The configure line is: --enable-track-vars --with-mysql=/usr/local/mysql --with-mhash
--with-mcrypt
--with-apxs=/usr/local/apache/bin/apxs
---------------------------------------------------------------------------
Full Bug description available at: http://bugs.php.net/?id=9801
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
