Bug 264856

The PHP modules suhosin and ZendOptimizer are also installed on this system.
I do not know at the moment, if this also happens without ZendOptimizer.

Comment 2 Gordon Malm (RETIRED) 2009-04-04 13:38:53 UTC

I've never needed to disable MPROTECT on php to merge anything, nor run what few php apps I do.  No emerge --info either.  You're going to need to present a lot more detailed information (logs, output, etc.) to convince me.

Hi,

1) Normally (without ZendOptimizer extension), PHP works on a hardened system, no paxctl tweaking is necessary.

2) Add ZendOptimizer extension to php.ini

zend_extension=/usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/ZendOptimizer.so

Then PHP crashes:

user@server ~ $ php-cgi
Segmentation fault

System logs contain:

May 14 20:57:08 server php-cgi[32674]: segfault at 769bb287eda0 ip 0000769bb266a47b sp 000077afb41d9fa0 error 7 in ld-2.8.so[769bb2663000+1c000]
May 14 20:57:08 server grsec: From 127.0.0.1: signal 11 sent to /usr/lib64/php5/bin/php-cgi[php-cgi:32674] uid/euid:1006/1006 gid/egid:100/100, parent /bin/bash[bash:32643] uid/euid:1006/1006 gid/egid:100/100
May 14 20:57:08 server grsec: From 127.0.0.1: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/php5/bin/php-cgi[php-cgi:32674] uid/euid:1006/1006 gid/egid:100/100, parent /bin/bash[bash:32643] uid/euid:1006/1006 gid/egid:100/100

3) Execute

paxctl -m /usr/lib/php5/bin/php-cgi

Then ZendOptimizer extension works, PHP doesn't segfault anymore.

(* Having Suhosin extension doesn't affect these results.)

emerge --info follows:

server ~ # emerge --info
Portage 2.1.6.11 (hardened/linux/amd64/2008.0/server, gcc-3.4.6, glibc-2.8_p20080602-r1, 2.6.28-hardened-r7 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r7-x86_64-Intel-R-_Core-TM-2_CPU_6420_@_2.13GHz-with-glibc2.3.2
Timestamp of tree: Thu, 14 May 2009 03:15:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.5.4-r2
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -mtune=nocona -O2 -pipe -fforce-addr"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -mtune=nocona -O2 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.linux.ee/pub/gentoo/distfiles/ http://trumpetti.atm.tut.fi/gentoo/"
INSTALL_MASK="*.la"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en et"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/home/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip a52 aac acl amd64 apache2 bash-completion berkdb bzip2 cli cracklib crypt curl d dedicated dri encode enscript expat fam fastcgi flac fontconfig ftp gd gdbm geoip glibc-omitfp gmp gnutls gpm hardened hddtemp iconv imagemagick iproute2 ipv6 isdnlog ithreads java jpeg justify ldap lm_sensors lzma lzo midi mmx mmxext mp2 mp3 mudflap multilib mysql ncurses network-cron nls nptl nptlonly ogg openmp pam pcre perl pic png pppd python quicktime quotas readline reflection sasl serial session slang spell spl sqlite sqlite3 sse sse2 ssl ssse3 subversion symlink sysfs syslog tcl theora truetype unicode unzip urandom vhosts vorbis vpopmail x264 xml xorg xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_default authn_file authz_default authz_host authz_user autoindex dav deflate dir env expires ext_filter filter headers log_config logio mime negotiation proxy proxy_ajp proxy_http rewrite setenvif unique_id userdir" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en et" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, FFLAGS, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

I see the same situation here as Alar described it: it is not PHP itself that would need PAX flags changed, but ZendOptimizer, as I had suspected.

Unfortunately portage seems not to have a general solution for this transitive problem. There was a discussion of this general problem with some possible solutions / workarounds on the gentoo-hardened list a while ago:

Thread "persistent paxctl -m?" started on 2009-04-09:

http://archives.gentoo.org/gentoo-hardened/msg_0c8f726fcd53f55685fd7f9885e2e99d.xml

Created attachment 195322 [details]
emerge --info

I have similar situation here - with both MPROTECT flags enabled on /usr/sbin/apache2 & /usr/lib/apache2/modules/libphp5.so Apache doesn't fork when starting (starts just signle process) and can't handle request. 
dmesg says:
[45658.577065] apache2[25039]: segfault at 5133bed0 ip 51327334 sp 5a47fbac error 7 in ld-2.8.so[5131f000+1c000]
[45658.577144] grsec: From XX.XX.XX.XX: signal 11 sent to /usr/sbin/apache2[apache2:25039] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[45658.577184] grsec: From XX.XX.XX.XX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/apache2[apache2:25039] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 

If I disable PHP support in Apache config file it works fine - forks 5 processes and there is no problem. 

The only solution I've found for now is to disable MPROTECT flag on Apache2 binary - /usr/sbin/apache2, but I'm not sure that's the right way.

emerge --info is attached

Created attachment 220977 [details]
emerge --info dev-lang/php www-servers/apache

I can verify that this problem also happens when trying to install the Zend Debugger extension as well.  In this case, after doing "/etc/init.d/apache2 start", apache quietly segfaulted and crashed with no error messages at all except in grsec.log.

I added the following to '/etc/php/apache2-php5/php.ini':

[Zend]
zend_extension="/usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613/ZendDebugger.so"
; Allow localhost, and local network access to the debugger
zend_debugger.allow_hosts="127.0.0.1, 192.168.1.0/16"
zend_debugger.expose_remotely=always



In my /var/log/grsec.log was the following:

Feb 24 06:15:25 polaris kernel: grsec: signal 11 sent to /usr/sbin/apache2[apache2:4369] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 24 06:15:25 polaris kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/apache2[apache2:4369] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Similarly, php crashes if the Zend Debugger is added to the command line php.ini file located at '/etc/php/cli-php5/php.ini'. I can see the same behavior that Alar Kvell reported.

# php --version
Segmentation fault

Along with the following in grsec.log:

Feb 24 06:26:41 polaris kernel: grsec: From 192.168.1.103: signal 11 sent to /usr/lib/php5/bin/php[php:6444] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5181] uid/euid:0/0 gid/egid:0/0
Feb 24 06:26:41 polaris kernel: grsec: From 192.168.1.103: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib/php5/bin/php[php:6444] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5181] uid/euid:0/0 gid/egid:0/0


I was able to fix both by running the following:
paxctl -m /usr/lib/php5/bin/php
paxctl -m /usr/sbin/apache2

emerge --info is attached.

Comment 7 Magnus Granberg 2010-07-18 02:03:30 UTC

*** Bug 328759 has been marked as a duplicate of this bug. ***

Comment 8 Magnus Granberg 2010-07-18 02:06:30 UTC

*** Bug 280456 has been marked as a duplicate of this bug. ***

Comment 9 Magnus Granberg 2010-07-18 02:18:06 UTC

Zend Optimizer have executable stack
zorry@laptop1 ~ $ scanelf -e ZendOptimizer.so
 TYPE   STK/REL/PTL FILE 
ET_DYN RWX --- RW- ZendOptimizer.so
And that will most time get kill by PaX enable kernels.
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
So you need to use paxctl -m on the php and apache bin to disable
MPROTECT.
@php it there any bug upstrem about the executebla stack?

Comment 10 Matti Bickel (RETIRED) 2010-07-18 12:26:23 UTC

I've asked upstream for comment. Let's see what they say.

Comment 11 Ole Markus With (RETIRED) 2011-09-07 11:56:21 UTC

ZendOptimizer has been removed from portage