Hello, A strange segmentation fault for dev-php/php emerge info Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.7-hardened-r10 i686) ================================================================= System uname: 2.6.7-hardened-r10 i686 Intel(R) Xeon(TM) CPU 2.80GHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5-r2 [2.3.5 (#1, Sep 30 2005, 09:55:51)] dev-lang/python: 2.3.5-r2 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.6.3, 1.8.5-r3, 1.7.9-r1, 1.4_p6, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.2-r7 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig buildpkg ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.easynet.nl/mirror/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 alsa apache2 apm arts avi bash-completion berkdb bitmap-fonts crypt eds emboss encode fbcon foomaticdb fortran gd gdbm gif gpm gstreamer gtk2 imagemagick innodb jpeg libg++ libwww mad memlimit mikmod motif mp3 mysql ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang snmp spell ssl svga tcpd threads tiff truetype truetype-fonts type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY emerge -pv dev-php/php [ebuild R ] dev-php/php-4.4.0-r1 -X +berkdb +crypt -curl +debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp -imap -informix -ipv6 -java +jpeg -kerberos -ldap -mcal +memlimit -mssql +mysql +ncurses +nls -oci8 -odbc +pam +png -postgres +readline +snmp +spell +ssl +tiff +truetype +xml2 -yaz The import.php just parse a XML document to import it into database. zeus wwwroot # php import.php free(): invalid pointer 0x8570eb8! Segmentation fault zeus wwwroot # Message from syslogd@zeus at Wed Oct 5 13:40:46 2005 ... zeus kernel: grsec: From IP: signal 11 sent to /usr/bin/php[php:17521] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:25740] uid/euid:0/0 gid/egid:0/0 Message from syslogd@zeus at Wed Oct 5 13:40:46 2005 ... zeus kernel: grsec: From IP: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /usr/bin/php[php:17521] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:25740] uid/euid:0/0 gid/egid:0/0 Ok some gdb : zeus wwwroot # gdb --args php import.php GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run Starting program: /usr/bin/php import.php warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 15904)] free(): invalid pointer 0x8570e08! Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 15904)] 0x40a0efae in free () from /lib/libc.so.6 (gdb) (gdb) bt #0 0x40a0efae in free () from /lib/libc.so.6 #1 0x081c95f4 in php_hashTableDestroy (table=0x40ab89e8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5348 #2 0x081c8daf in dtdDestroy (p=0x8526bb8, isDocEntity=1 '\001', ms=0x85264d4) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5023 #3 0x081c26c1 in php_XML_ParserFree (parser=0x85264c8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:1065 #4 0x081be136 in xml_parser_dtor (rsrc=0xfffffffc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:297 #5 0x0821ea7c in list_entry_destructor (ptr=0x8515574) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #6 0x0821cfff in zend_hash_del_key_or_index (ht=0x842fa28, arKey=0x0, nKeyLength=0, h=9, flag=1) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:527 #7 0x0821e874 in _zend_list_delete (id=9) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:56 #8 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85215d0, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #9 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xfffffffc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #10 0x0821d1b8 in zend_hash_destroy (ht=0x85216f4) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #11 0x08216a73 in _zval_dtor (zvalue=0x85157fc, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:60 #12 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85276d8, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #13 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xfffffffc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #14 0x0821d1b8 in zend_hash_destroy (ht=0x852766c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #15 0x08216ad2 in _zval_dtor (zvalue=0x85100cc, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:51 #16 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8526464, __zend_filename=0x83a0bf8 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c", __zend_lineno=312) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #17 0x081be0ae in xml_parser_dtor (rsrc=0xfffffffc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:312 #18 0x0821ea7c in list_entry_destructor (ptr=0x8515574) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #19 0x0821d40a in zend_hash_apply_deleter (ht=0x842fa28, p=0x85270ac) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:611 #20 0x0821d4ca in zend_hash_graceful_reverse_destroy (ht=0x842fa28) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:677 #21 0x0820f8ce in shutdown_executor () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:211 #22 0x08217b02 in zend_deactivate () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend.c:693 #23 0x081e77b8 in php_request_shutdown (dummy=0x0) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/main/main.c:997 #24 0x08238d7e in main (argc=2, argv=0xbfffe7f4) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/sapi/cli/php_cli.c:879 rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0 fcntl64(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(7, 0x85711a8, 8192) = -1 EAGAIN (Resource temporarily unavailable) fcntl64(7, F_SETFL, O_RDWR) = 0 write(7, "\1\0\0\0\1", 5) = 5 shutdown(7, 2 /* send and receive */) = 0 close(7) = 0 rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0 munmap(0x40b16000, 266240) = 0 write(2, "free(): invalid pointer 0x8570eb"..., 35free(): invalid pointer 0x8570eb8! ) = 35 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Created attachment 69912 [details] XML Parser class
Created attachment 69913 [details] The XML file to parse
Created attachment 69914 [details] The PHP to import the XML file
Hello, I have add some script to reproduce the bug. XML Parser class The XML file to parse The PHP to import the XML file Seem that some path are broken (gdb) run Starting program: /usr/bin/php import2.php warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 2751)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 2751)] poolDestroy (pool=0x85246e8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424 5424 /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c: No such file or directory. in /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c (gdb) Message from syslogd@zeus at Wed Oct 5 15:29:55 2005 ... zeus kernel: grsec: From 80.92.64.98: signal 11 sent to /usr/bin/php[php:2751] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:22233] uid/euid:0/0 gid/egid:0/0 (gdb) bt #0 poolDestroy (pool=0x85246e8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424 #1 0x081c2619 in php_XML_ParserFree (parser=0x8524558) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:1055 #2 0x081be136 in xml_parser_dtor (rsrc=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:297 #3 0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #4 0x0821cfff in zend_hash_del_key_or_index (ht=0x842fa28, arKey=0x0, nKeyLength=0, h=9, flag=1) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:527 #5 0x0821e874 in _zend_list_delete (id=9) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:56 #6 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8518aa0, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #7 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #8 0x0821d1b8 in zend_hash_destroy (ht=0x8518d8c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #9 0x08216a73 in _zval_dtor (zvalue=0x85100e4, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:60 #10 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8525768, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #11 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #12 0x0821d1b8 in zend_hash_destroy (ht=0x85256fc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #13 0x08216ad2 in _zval_dtor (zvalue=0x850efd4, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:51 #14 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85244f4, __zend_filename=0x83a0bf8 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c", __zend_lineno=312) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #15 0x081be0ae in xml_parser_dtor (rsrc=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:312 #16 0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #17 0x0821d40a in zend_hash_apply_deleter (ht=0x842fa28, p=0x852513c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:611 #18 0x0821d4ca in zend_hash_graceful_reverse_destroy (ht=0x842fa28) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:677 #19 0x0820f8ce in shutdown_executor () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:211 #20 0x08217b02 in zend_deactivate () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend.c:693 #21 0x081e77b8 in php_request_shutdown (dummy=0x0) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/main/main.c:997 #22 0x08238d7e in main (argc=2, argv=0xbfffd874) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/sapi/cli/php_cli.c:879 (gdb) quit
Hi, could you please test if you can reproduce this using the new dev-lang/php pacakge? Just emerge =dev-lang/php-4*, remember to enable the "cli" USE flag and the "xml" and "xml2" USE flags at least for this to work. dev-lang/php is the new generation of PHP support in Gentoo and will sobstitute dev-php/php, dev-php/php-cgi and dev-php/mod_php (all these are now only in dev-lang/php, controlled by USE flags). For more informations on the new PHP support, take a look at: http://svn.gnqs.org/projects/gentoo-php-overlay/file/docs/php-upgrading.html?format=raw Thanks for feedback, best regards, CHTEKK.
Bleh, dev-lang/php-4.4.0-r1 segfaults as well. $ cd /usr/lib/php4 && grep -Rni '/var/tmp/portage/' * Binary file bin/php matches Binary file bin/php-cgi matches Binary file lib/php/extensions/no-debug-non-zts-20020429/apc.so matches Binary file lib/php/extensions/no-debug-non-zts-20020429/sqlite.so matches --- And for the record, with dev-lang/php-5.1.0_rc1 (the overlay one) - it does not segfault, but contains screwed paths as well. $ cd /usr/lib/php5 && grep -Rni '/var/tmp/portage/' * Binary file bin/php matches Binary file bin/php-cgi matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_mysql.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/apc.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_odbc.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_sqlite.so matches
Hello, Ok apache also segfault with mod_php 4 if you use this files. DOS possible. Koon could you please close the bug to public. Regards.
Hello, I have resolv my bug by adding this method to the XML Parser class function freexml() { xml_parser_free($this->parser); } And in the PHP to import XML file : $xml->freexml(); They is still a bug in php but a workaround exist. Regards.
Auditors, maybe confirm this ?
Was confirmed by maintainer. Luca: would be nice to have a fix for this at the same time as bug 107602
CHTEKK will open a bug upstream about this, as it's not fixed in 4.4.1.
CHTEKK: did you file the bug upstream ?
Finally got to this... The bug is confirmed by me and reproducible with the test scripts, and the workaround indeed solves the problem. I've tried using both the bundled expat library and an external install, it segfaults with both. Searching the PHP bugs database a bit more I've found two bugs that reference the same problem already: http://bugs.php.net/bug.php?id=32494 http://bugs.php.net/bug.php?id=34150 From what I gater from them, upstream knows about it and has the problem verified, but won't do anything about it (see second bug), it seems they consider the xml_parser_free() workaround as a viable solution (but it isn't really, the segfault remains still...). Best regards, CHTEKK.
I propose that we open this bug (since it's already public on PHP's bugzie) and resolve it as UPSTREAM. Eric: you should try to convince them to fix it by demonstrating that this is a security issue...
I agree with comment #14, lets do it! ;) Best regards, CHTEKK.
done like mentioned in comment #14