Summary: | dev-lang/php-5.2.3-r3 causes apache child processes to segfault on session_start() | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Tony Vroon (RETIRED) <chainsaw> |
Component: | Current packages | Assignee: | PHP Bugs <php-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | apache-bugs, benkoren, david, dertobi123, gentoo, hanno, heavymetal, hermelin, jc, jnerin, phajdan.jr, scotty, tommy, vapier, wschlich |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 180556 |
Description
Tony Vroon (RETIRED)
2007-07-30 12:17:49 UTC
*** Bug 187130 has been marked as a duplicate of this bug. *** As requested by Jakub Moc, emerge -pv php output on the affected server: [ebuild U ] dev-lang/php-5.2.3-r3 [5.2.2-r1] USE="apache2 berkdb bzip2 calendar cli crypt gd iconv imap ipv6 mysql ncurses nls pcre pic posix postgres readline session ssl tokenizer truetype unicode xml xmlrpc zlib (-adabas) -bcmath (-birdstep) -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase (-dbmaker) -debug -discard-path -doc (-empress) (-empress-bcs) (-esoob) -exif -fastbuild (-fdftk) -filter (-firebird) -flatfile -force-cgi-redirect (-frontbase) -ftp -gd-external -gdbm -gmp -hash -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -qdbm -recode -reflection -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets (-solid) -spell -spl -sqlite -suhosin (-sybase) (-sybase-ct) -sysvipc -threads -tidy -wddx -xmlreader -xmlwriter -xpm -xsl -yaz -zip -zip-external" 0 kB this are my use flags for php. I'm running a x86 hardened box and everything is fine: [ebuild R ] dev-lang/php-5.2.3-r3 USE="apache2 berkdb bzip2 cli crypt gd gmp mysql ncurses nls pcre pic readline session ssl threads unicode xml zlib -adabas -bcmath -birdstep -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd-external -gdbm -hash -iconv -imap -inifile -interbase -iodbc -ipv6 -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -posix -postgres -qdbm -recode -reflection -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid -spell -spl -sqlite -suhosin -sybase -sybase-ct -sysvipc -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external" I can confirm this bug, same thing, amd64 non-multilib hardened, also happens on apache-2.2.4-r10. This problem doesn't occur with php-5.2.2-r1 btw, just for the record. Adding mhash to the useflags (as someone suggested in #gentoo-php) doesn't help either. I can paste my useflags if interested, I just don't have them handy since I masked this version of php :) I can also confirm this with www-servers/lighttpd-1.4.15. Is it recommended that we rollback to a previous version of php for now? (In reply to comment #5) > I can also confirm this with www-servers/lighttpd-1.4.15. Is it recommended > that we rollback to a previous version of php for now? Benjamin, I can confirm that armin76 masked the problematic PHP version for uses of hardened Gentoo. So this is being handled. After a sync you should see PHP being downgraded again. Hopefully a real fix is on the way. Could anyone of you provide me with a simple way to make php go berserk (like tell me if a simple phpinfo(); makes php segfault) ? I do not have simple way to replicate this problem. But I do know that Drupal (drupal.org) works fine, yet Serendipity weblog version 1.1.2 (http://www.s9y.org/) does not work as causes the segfault. Hope this helps. (In reply to comment #7) > Could anyone of you provide me with a simple way to make php go berserk (like > tell me if a simple phpinfo(); makes php segfault) ? > (In reply to comment #8) > I do not have simple way to replicate this problem. But I do know that Drupal > (drupal.org) works fine, yet Serendipity weblog version 1.1.2 > (http://www.s9y.org/) does not work as causes the segfault. Hope this helps. > > Well, then I can to comment too, to say that the test I made was with a drupal instalation. I had the problem with horde-imp and phpmyadmin, this should be sufficient for testing... however, phpBB for example worked fine so far ;) Same problems here with phpmyadmin. The box is a x86_64 running default-linux/amd64/2007.0 profile and apache-2.2.4-r10. [ebuild R ] dev-lang/php-5.2.3-r3 USE="apache2 bzip2 cli crypt ctype gd gdbm iconv ipv6 mysql ncurses nls pcre readline reflection session spl ssl unicode xml zlib (-adabas) -bcmath -berkdb (-birdstep) -calendar -cdb -cgi -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase (-dbmaker) -debug -discard-path -doc (-empress) (-empress-bcs) (-esoob) -exif -fastbuild (-fdftk) -filter (-firebird) -flatfile -force-cgi-redirect (-frontbase) -ftp -gd-external -gmp -hash -imap -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets (-solid) -spell -sqlite -suhosin (-sybase) (-sybase-ct) -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external" 0 kB [0] If it helps any, I do not run a hardened toolchain - I only run a hardened kernel, with the following config. I am going to remove the config from the webserver after a few days or so, so if it is of use to you, you should download it. Thanks for all the hard work. Hope this helps: http://koren.us/bugs.gentoo.org-show_bug.cgi-id=187120.txt Again, I am running lighttpd 1.4.15. Here are my lighttpd USE flags: [ebuild R ] www-servers/lighttpd-1.4.15 USE="bzip2 fastcgi gdbm mysql pcre php ssl -doc -fam -ipv6 -ldap -lua -memcache -minimal -rrdtool -test -webdav -xattr" I have the same problem with lighttpd-1.4.15-r1, php-5.2.3-r3 and phpmyadmin on my hardened system (hardenend/athlon-xp). phpBB-3.0 RC4 and my own php Code work without any problem. [ebuild R ] www-servers/lighttpd-1.4.15-r1 USE="bzip2 fastcgi lua mysql pcre php ssl -doc -fam -gdbm -ipv6 -ldap -memcache -minimal -rrdtool -test -webdav -xattr" [ebuild R ] dev-lang/php-5.2.3-r3 USE="bzip2 cgi crypt ctype force-cgi-redirect gd imap mysql mysqli ncurses nls pcre pic readline session simplexml sockets ssl suhosin unicode zip zlib -adabas -apache2 -bcmath -berkdb -birdstep -calendar -cdb -cjk -cli -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -frontbase -ftp -gd-external -gdbm -gmp -hash -iconv -inifile -interbase -iodbc -ipv6 -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -posix -postgres -qdbm -recode -reflection -sapdb -sharedext -sharedmem -snmp -soap -solid -spell -spl -sqlite -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -truetype -wddx -xml -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip-external" 0 kB I also can configrm this bug on non-hardened, multilib, stable amd64 system. Few interesting details: * first, I was affected by bug 187131 * then, after switching to mod_php for it, it worked fine for a moment * today it's broken, exactly same situation as in this bug emerge '=php-5*' output with stripped out unused flags: [ebuild R ] dev-lang/php-5.2.3-r3 USE="apache2 berkdb bzip2 cgi cli crypt ctype curl exif force-cgi-redirect ftp gd gdbm gmp iconv ipv6 mysql ncurses nls pcre pdo readline reflection session simplexml soap spell spl sqlite ssl suhosin tokenizer truetype unicode xml zip zlib" I can't give much info, but I suspect that the problem could be within the php session management stuff, because here php serve some scripts with no problems, but ones with session_start and such did segfault immediately. I have enabled only these flags: apache2 berkdb bzip2 calendar cli crypt ctype curl curlwrappers ftp gd ipv6 mhash mysql mysqli ncurses nls pcntl pcre pdo pic posix postgres readline reflection session sharedext sharedmem simplexml sockets spell spl sqlite ssl sysvipc tidy truetype unicode xml xmlreader xmlrpc xpm xsl zlib System is running profile hardened/amd64. (In reply to comment #15) > I can't give much info, but I suspect that the problem could be within the php > session management stuff, because here php serve some scripts with no problems, > but ones with session_start and such did segfault immediately. > This actually sounds interesting... I did a strace on apache when the segfaults first happened (but was too lazy to start gdb, so the info is not really of importance), and the last operations before the segfault had something to do with session stuff: lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=28672, ...}) = 0 stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=28672, ...}) = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0 umask(077) = 022 umask(077) = 077 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=28672, ...}) = 0 lstat("/tmp/sess_b95796e1a81ad027555da8e72439afbb", 0x4d00c1e0) = -1 ENOENT (No such file or directory) open("/tmp/sess_b95796e1a81ad027555da8e72439afbb", O_RDWR|O_CREAT, 0600) = 35 flock(35, LOCK_EX) = 0 fcntl(35, F_SETFD, FD_CLOEXEC) = 0 fstat(35, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- Can someone who can afford to run a buggy setup for a few minutes try if something like <? session_start() ?> triggers the segmentation fault? :) Might be related to bug 187374 Yup, something as simple as this: <?php session_start(); echo "Lets see if that thing is segfaulting!"; session_stop(); ?> makes it segfault here. (In reply to comment #17) > Can someone who can afford to run a buggy setup for a few minutes try if > something like <? session_start() ?> triggers the segmentation fault? :) > > Might be related to bug 187374 > I remember the error about safe_mode=on and access to /tmp, but I solved it creating a directory in /tmp only for apache with the apache UID and configuring the php.ini to point to it. I forgot to comment it. I detected the error in a custom page which uses session_start, but when I thought that this was probably a bug I masked the 5.2.3 and rolled back the previous one. I didn't mean "related" as in "could be the same error", but obviously the coded for session handling was changed, so this might have introduced this very bug that causes the segfaults (which is even more probable given the example by Christian Heim). Seems to be affecting only x86_64 platform. I have PHP 5.2.3 compiled with the same USE flag on both x86 and x86_64, and the issue with session_start() only occurs in x86_64. It does not matter whether the target is cgi, fastcgi or mod_php. *** Bug 187131 has been marked as a duplicate of this bug. *** Can we rule this out as not being limited to hardened users only? It appears that way.. It seems hardened users are seeing this bug first and hit a tad harder than standard Gentoo users. (In reply to comment #23) > Can we rule this out as not being limited to hardened users only? I think we can do that quite easily. I have nothing hardened. gentoo-sources, USE="-hardened". Yet this bug happens to me. Oh, wait - I have suhosin enabled... it could matter. As my bug report (#187130) has been marked a duplicate of this bug, I just want to note that I'm NOT running an AMD64 system. My apache crashed on a hardened x86 install. Sadly I didn't look for segfaults in the logs, but I can confirm that the hosted website uses session_start() on each and every page. *** Bug 187513 has been marked as a duplicate of this bug. *** I'm the author of the Bug_187513, sorry for the duplicate, I didn't find this one... Can't it be linked with http://www.php-security.org/MOPB/PMOPB-46-2007.html ? (even if it segfault even without tuning the session_id) I am running x86 and also have this problem. I disabled and emerge -C php as well, with no results. I'm also running an svn web client. [ebuild R ] www-servers/apache-2.0.58-r2 USE="apache2 ssl -debug -doc -ldap -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads" 0 kB [ebuild N ] dev-lang/php-5.2.3-r3 USE="apache2 berkdb cli crypt curl gdbm iconv ipv6 mysql ncurses nls pcre readline reflection session spell spl ssl unicode xml xsl zlib -adabas -bcmath -birdstep -bzip2 -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd -gd-external -gmp -hash -imap -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 -oci8-instant-client -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid -sqlite -suhosin -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -yaz -zip -zip-external" [ebuild R ] dev-util/subversion-1.3.2-r4 USE="apache2 berkdb nls perl python zlib -bash-completion -emacs -java -nowebdav -ruby" 0 kB Portage 2.1.2.11 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.20-ck1 i686) ================================================================= System uname: 2.6.20-ck1 i686 AMD Duron(tm) processor Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 04 Aug 2007 08:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] dev-lang/python: 2.3.5-r3, 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon -pipe -fomit-frame-pointer -fweb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=athlon -pipe -fomit-frame-pointer -fweb" DISTDIR="/usr/portage/distfiles" FEATURES="distcc distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://mirrors.tds.net/gentoo http://pandemonium.tiscali.de/pub/gentoo/ http://212.219.56.152/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow apache2 avi berkdb bitmap-fonts cdr cli cracklib crypt cups dri dvd dvdr fortran gdbm gif gpm iconv ipv6 isdnlog jpeg libg++ midi mmx mpeg mudflap ncurses nls nptl nptlonly oggvorbis openmp pam pcre pdflib perl php png ppds pppd python readline reflection samba session spell spl sse ssl tcpd theora truetype-fonts type1-fonts unicode x86 xml xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS This bug is apparently caused by our patch (from php-cvs) to fix the open_basedir/safe_mode bypass with session.save_path in .htaccess files. I'm not completely sure what systems are affected though -- all amd64 systems and x86/hardened seem to be affected at least, irrelevant of the used SAPI (cgi/cli/apache2). I added php-5.2.4_pre200708051230-r1 to the php-testing overlay (available via layman) where the previous fix for above mentioned security issue was reverted and replaced by different code. This version should fix the segfault issue. It would be nice if as many people as possible could test this version as it is probably the next candidate for being merged to the official tree. Please report back whether it fixed the segfault for you (in this bug), any other problems deserve an own bug report. :) BTW, I'm sorry for not being able to respond earlier, I was on vacation. (In reply to comment #15) > I can't give much info, but I suspect that the problem could be within the php > session management stuff, because here php serve some scripts with no problems, > but ones with session_start and such did segfault immediately. This information really helped a lot while tracking this down. Thank you! 5.2.4_pre working fine on my two amd64-servers (which had the segfault before). So I vote for merging into portage asap. Thanks hanno. Dear arch teams (and any users wanting to help), could you please test php-5.2.4_pre200708051230-r1 from the php-testing overlay so we can get it merged into the tree as soon as possible without causing such a breakage again? When testing, please make sure to emerge with USE="session cli". The most basic test for the crash bug is: echo '<?php session_start(); echo "Ok\n"; ?>' | php This should print "Ok" and should not segfault... It would be even nicer if you could test some popular web apps like phpMyAdmin, MediaWiki, DokuWiki or anything else you currently have available and set up. Thanks in advance! I just tested 5.2.4_pre200708051230-r2 which is in the main tree (currently unstable), and it fixed the issue for me. Guess soon we can close this bug ;) Thanks everyone for testing, 5.2.4_pre200708051230-r2 stabilization handled on Bug 180556. Closing this one. |