Public bug reported:
Binary package hint: php5
After spending some time researching this, I realize the root cause may
not be in php itself (but might), but not knowing the root cause, I am
reporting it here.
Environment: Ubuntu 8.04, PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch
0.9.6.2 , suhosin, xcache, xdebug, mysql, gd, curl, ffmpeg, cli. The
server runs several vhosted sites. The problem occurs consistently on
one line of one site only. The site in question runs Drupal, and the
error is triggered by the Drupal webforms module (at the same line every
time) upon a form submission.
Symptoms: After several days (3 to 14 days), the following error is
reported:
Jan 4 22:07:14 Garth suhosin[25113]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '67.141.28.120', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan 4 22:07:15 Garth suhosin[25116]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '67.141.28.120', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan 4 22:11:47 Garth suhosin[25119]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '68.42.206.239', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan 4 22:11:47 Garth suhosin[25141]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '68.42.206.239', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan 4 22:21:57 Garth suhosin[25154]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '67.141.28.49', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan 4 22:21:58 Garth suhosin[25139]: ALERT - canary mismatch on efree() - heap
overflow detected (attacker '67.141.28.49', file
'/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
etc, etc.
At always the exact same line number. At this point, anybody submitting
any form on the site in question will trigger the error. Forms are an
important aspect of the site, and this is breaking that functionality as
none of the forms work as expected. Restarting Apache temporarily
solves/works around the problem.
Line 2201, that triggers the error: return $strict ?
filter_xss($string) : $string;
The filter_xss() Drupal function that is referenced:
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!drupal_validate_utf8($string)) {
return '';
}
// Store the input format
_filter_xss_split($allowed_tags, TRUE);
// Remove NUL characters (ignored by some browsers)
$string = str_replace(chr(0), '', $string);
// Remove Netscape 4 JS entities
$string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
// Named entities
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1',
$string);
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the
end of the string
| # or
> # just a >
)%x', '_filter_xss_split', $string);
}
This same site was moved from another Ubuntu 8.04 server with a very
similar environment, and in almost 1 year, this error never occurred
there.
# apt-cache policy php5
php5:
Installed: 5.2.4-2ubuntu5.9
Candidate: 5.2.4-2ubuntu5.9
Version table:
*** 5.2.4-2ubuntu5.9 0
500 http://us.archive.ubuntu.com hardy-updates/main Packages
500 http://security.ubuntu.com hardy-security/main Packages
100 /var/lib/dpkg/status
5.2.4-2ubuntu5 0
500 http://us.archive.ubuntu.com hardy/main Packages
# php -v
PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch 0.9.6.2 (cli) (built: Nov 26 2009
14:00:44)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Xdebug v2.0.2, Copyright (c) 2002-2007, by Derick Rethans
with Suhosin v0.9.22, Copyright (c) 2007, by SektionEins GmbH
# lsb_release -rd
Description: Ubuntu 8.04.3 LTS
Release: 8.04
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
--
canary mismatch on efree()
https://bugs.launchpad.net/bugs/503396
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
