Hi Clint,
I just put another 3 hours into it:
The bug happens in this source code line:
if(passwd_len>255) {
passwd[255] = '\0';
}
of php_mssql_do_connect. I found this out by disassembling the code in
the core dump:
Dump of assembler code for function php_mssql_do_connect:
0x00007f1d4804c330 <+0>: push %r14
0x00007f1d4804c332 <+2>: push %r13
0x00007f1d4804c334 <+4>: push %r12
0x00007f1d4804c336 <+6>: mov %r9d,%r12d
0x00007f1d4804c339 <+9>: push %rbp
0x00007f1d4804c33a <+10>: mov %edi,%ebp
0x00007f1d4804c33c <+12>: push %rbx
0x00007f1d4804c33d <+13>: mov %rsi,%rbx
0x00007f1d4804c340 <+16>: lea 0x2ef8(%rip),%rsi # 0x7f1d4804f23f
0x00007f1d4804c347 <+23>: sub $0xc0,%rsp
0x00007f1d4804c34e <+30>: mov %fs:0x28,%rax
0x00007f1d4804c357 <+39>: mov %rax,0xb8(%rsp)
0x00007f1d4804c35f <+47>: xor %eax,%eax
0x00007f1d4804c361 <+49>: lea 0x8f(%rsp),%rax
0x00007f1d4804c369 <+57>: lea 0x88(%rsp),%rcx
0x00007f1d4804c371 <+65>: lea 0x78(%rsp),%rdx
0x00007f1d4804c376 <+70>: lea 0x84(%rsp),%r9
0x00007f1d4804c37e <+78>: lea 0x70(%rsp),%r8
0x00007f1d4804c383 <+83>: movq $0x0,0x78(%rsp)
0x00007f1d4804c38c <+92>: mov %rax,0x10(%rsp)
0x00007f1d4804c391 <+97>: lea 0x80(%rsp),%rax
0x00007f1d4804c399 <+105>: movq $0x0,0x70(%rsp)
0x00007f1d4804c3a2 <+114>: movq $0x0,0x68(%rsp)
0x00007f1d4804c3ab <+123>: movb $0x0,0x8f(%rsp)
0x00007f1d4804c3b3 <+131>: mov %rax,0x8(%rsp)
0x00007f1d4804c3b8 <+136>: lea 0x68(%rsp),%rax
0x00007f1d4804c3bd <+141>: mov %rax,(%rsp)
0x00007f1d4804c3c1 <+145>: xor %eax,%eax
0x00007f1d4804c3c3 <+147>: callq 0x7f1d4804a768
<zend_parse_paramet...@plt>
0x00007f1d4804c3c8 <+152>: cmp $0xffffffffffffffff,%eax
0x00007f1d4804c3cb <+155>: je 0x7f1d4804c7b3
<php_mssql_do_connect+1155>
0x00007f1d4804c3d1 <+161>: cmpl $0xff,0x88(%rsp)
0x00007f1d4804c3dc <+172>: jle 0x7f1d4804c3ea <php_mssql_do_connect+186>
0x00007f1d4804c3de <+174>: mov 0x78(%rsp),%rax
0x00007f1d4804c3e3 <+179>: movb $0x0,0xff(%rax)
0x00007f1d4804c3ea <+186>: cmpl $0xff,0x84(%rsp)
0x00007f1d4804c3f5 <+197>: jle 0x7f1d4804c403 <php_mssql_do_connect+211>
0x00007f1d4804c3f7 <+199>: mov 0x70(%rsp),%rax
0x00007f1d4804c3fc <+204>: movb $0x0,0xff(%rax)
0x00007f1d4804c403 <+211>: cmpl $0xff,0x80(%rsp)
0x00007f1d4804c40e <+222>: jle 0x7f1d4804c41c <php_mssql_do_connect+236>
0x00007f1d4804c410 <+224>: mov 0x68(%rsp),%rax
=> 0x00007f1d4804c415 <+229>: movb $0x0,0xff(%rax)
0x00007f1d4804c41c <+236>: cmp $0x4,%ebp
0x00007f1d4804c41f <+239>: jbe 0x7f1d4804c7e0
<php_mssql_do_connect+1200>
0x00007f1d4804c425 <+245>: cmpq $0x0,0x60(%rsp)
0x00007f1d4804c42b <+251>: lea 0x2e3a(%rip),%rdx # 0x7f1d4804f26c
0x00007f1d4804c432 <+258>: je 0x7f1d4804c92f
<php_mssql_do_connect+1535>
0x00007f1d4804c438 <+264>: mov 0x206d2a(%rip),%edi #
0x7f1d48253168 <mssql_globals+104>
0x00007f1d4804c43e <+270>: callq 0x7f1d4804a508 <dbsetlogint...@plt>
0x00007f1d4804c443 <+275>: mov 0x206d27(%rip),%edi #
0x7f1d48253170 <mssql_globals+112>
0x00007f1d4804c449 <+281>: callq 0x7f1d4804a468 <dbsett...@plt>
0x00007f1d4804c44e <+286>: callq 0x7f1d4804a788 <dblo...@plt>
Having this hint, I checked the code of the PHP-script which was:
define ("MSSQL_SERVER", "www");
define ("MSSQL_USER", "xxx");
define ("MSSQL_PASSWORD", "yyy");
define ("MSSQL_DATABASE", "zzz");
mssql_connect(MSSQL_SERVER, MSSQL_USER, MSSQL_PASSWORD);
mssql_select_db(MSSQL_DATABASE);
So there was no error checking. In fact the hostname of the server was
wrong, this is why the connection did not succeed. After I fixed the
hostname, the code ran without the segmentation fault. It made no
difference, if I use "define" or put in the values for the connection
als strings.
So the bug is triggered, if the hostname for mssql_connect does not
exist.
--
Segmentation fault in php5-sybase
https://bugs.launchpad.net/bugs/611316
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
