php5 5.2.3-1ubuntu6.1 introduced segfault regression

Bug #173043 reported by Malcolm Scott
270
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
High
Kees Cook

Bug Description

Binary package hint: php5

Since installing the latest security update for PHP (5.2.3-1ubuntu6.1) I am seeing segfaults when accessing some PHP CGI scripts:

Nov 30 13:20:41 pip kernel: [2049612.462000] php5-cgi[3740]: segfault at ffffffffa0239a60 rip 00002aee99db8b50 rsp 00007fff13250558 error 4
Nov 30 13:20:44 pip kernel: [2049615.858235] php5-cgi[3828]: segfault at 000000007cee2a48 rip 00002b0a7f3feb50 rsp 00007fff2dc0a478 error 4
Nov 30 13:20:46 pip kernel: [2049617.016314] php5-cgi[3838]: segfault at 00000000267a65c8 rip 00002b0928cd3b50 rsp 00007fff8433d1b8 error 4

I am not yet sure exactly what is causing the segfault. I can confirm however that the same issue definitely does not occur on 5.2.3-1ubuntu6.

The set of PHP packages I have installed is:

13:20:56 1006 mas90-adm@pip:~$ dpkg --get-selections | grep ^php5
php5 install
php5-cgi install
php5-cli install
php5-common install
php5-curl install
php5-dev install
php5-gd install
php5-imap install
php5-ldap install
php5-mcrypt install
php5-mysql install
php5-pgsql install
php5-xmlrpc install
php5-xsl install

I will attempt to find out what is causing the problem and will update this bug report if I have any more information. Meanwhile if there's anything you would like me to try, please let me know.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 173043] php5 5.2.3-1ubuntu6.1 introduced segfault regression

On Fri, Nov 30, 2007 at 01:31:54PM -0000, Malcolm Scott wrote:
> The set of PHP packages I have installed is:
>
> 13:20:56 1006 mas90-adm@pip:~$ dpkg --get-selections | grep ^php5
> php5 install
> php5-cgi install
> php5-cli install
> php5-common install
> php5-curl install
> php5-dev install
> php5-gd install
> php5-imap install
> php5-ldap install
> php5-mcrypt install
> php5-mysql install
> php5-pgsql install
> php5-xmlrpc install
> php5-xsl install
>

Are these the standard debs from the repository ? Did you recompile any
of these from the source deb ?

Are you able to figure which script crashes ?

  status incomplete

--
Mathias

Changed in php5:
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Are there crash reports in /var/crash for php5? If so, please attach them, it may help narrow down the problem.

Revision history for this message
Kees Cook (kees) wrote :

It seems the crash location (eip) is different each time, and in a high location. That would imply it is crashing in a loaded library. Can you try this and see if it fixes your issue:

  cd /tmp
  apt-get source php-mcrypt php-imap
  sudo apt-get install build-essential fakeroot devscripts
  sudo apt-get build-dep php-mycrypt
  sudo apt-get build-dep php-imap
  (cd php-mcrypt-*; dch -n 'Rebuild bump'; debuild -uc -us)
  (cd php-imap-*; dch -n 'Rebuild bump'; debuild -uc -us)
  sudo dpkg -i php5-mcrypt_*.deb php5-imap_*.deb

This will rebuild and reinstall the two out-of-source php5 modules you're using. If the crashes are a result of an internal ABI change that wasn't seen in testing, this rebuild should make the crashes go away. Can you report back what happens (or isolate the script that is crashing)? Thanks!

Revision history for this message
Malcolm Scott (malcscott) wrote :

These are standard debs from the gutsy-security repository.

A variety of different scripts are crashing, including phpMyAdmin, Gallery, MediaWiki, etc.

There are several pertinent crash reports in /var/crash but unfortunately they're likely to contain user data (MySQL passwords etc.) -- I'll see if I can reproduce the problem on something that won't contain such data, bear with me...

I'll try rebuilding those two modules and let you know what happens.

Revision history for this message
Malcolm Scott (malcscott) wrote :

Rebuilding the imap and mcrypt did not stop the segfaults.

Revision history for this message
Malcolm Scott (malcscott) wrote :

Crash report attached for a crash in phpMyAdmin (just loading the login form), with the rebuilt imap and mcrypt modules installed.

Revision history for this message
uwe (uwe-walter) wrote :

Hi @all,

on my machine, the same behavior exists, after upgrading php5-cgi and php5-cli 5.2.3-1ubuntu6.1 today.

phpMyAdmin crashes on startpage. Other sites crash, when I try to login at the backend. My investigations have shown, that php5-cgi crashes during the initSession process via function session_start().

I attached my _usr_bin_php5-cgi.UID.crash

Greetz from Germany

Revision history for this message
Malcolm Scott (malcscott) wrote :

I've reproduced the crash using a self-compiled package with debug symbols (DEB_BUILD_OPTIONS=nostrip,debug). Here's the backtrace:

#0 0x00002b886ee62b50 in strlen () from /lib/libc.so.6
#1 0x000000000051f4e4 in php_session_reset_id () at /home/malcolm/srcfphpbuild/php5-5.2.3/ext/session/session.c:1098
#2 0x0000000000521c55 in php_session_start () at /home/malcolm/srcfphpbuild/php5-5.2.3/ext/session/session.c:1327
#3 0x0000000000522529 in zif_session_start (ht=1821884800, return_value=0x2b886c977a78, return_value_ptr=0x2b886c951c80, this_ptr=0x0,
    return_value_used=-16843009) at /home/malcolm/srcfphpbuild/php5-5.2.3/ext/session/session.c:1802
#4 0x00000000006770f2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff3e1a7b60)
    at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:200
#5 0x0000000000667bdc in execute (op_array=0xd92d90) at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:92
#6 0x000000000066c9f3 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fff3e1af4d0)
    at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:2030
#7 0x0000000000667bdc in execute (op_array=0xd865c0) at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:92
#8 0x000000000066c9f3 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fff3e1b10c0)
    at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:2030
#9 0x0000000000667bdc in execute (op_array=0xd82d38) at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend_vm_execute.h:92
#10 0x00000000006488b3 in zend_execute_scripts (type=32767, retval=0x0, file_count=3)
    at /home/malcolm/srcfphpbuild/php5-5.2.3/Zend/zend.c:1134
#11 0x00000000006067f8 in php_execute_script (primary_file=Cannot access memory at address 0x80003e1b0138
) at /home/malcolm/srcfphpbuild/php5-5.2.3/main/main.c:1794
#12 0x00000000006ca99f in main (argc=1041979768, argv=0x0) at /home/malcolm/srcfphpbuild/php5-5.2.3/sapi/cgi/cgi_main.c:1735

This corroborates uwe's comment that something is going wrong in the session handling code.

The problem occurs due to 204-start-session-cookies.patch: the change at line 1098 of ext/session/session.c from
       smart_str_appends(&ncookie, PS(session_name));
to
       e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)), NULL);
       smart_str_appends(&ncookie, e_session_name);
is what's causing the crash.

Currently working on a fix.

Changed in php5:
status: Incomplete → Confirmed
Revision history for this message
Malcolm Scott (malcscott) wrote :

Got it! The necessary header for php_url_encode wasn't included, and the implicit declaration wasn't quite right. The following patch appears to stop the segfaults:

--- ext/session/session.c.orig 2007-12-01 05:41:38.502160889 +0000
+++ ext/session/session.c 2007-12-01 05:27:50.052388781 +0000
@@ -46,6 +46,7 @@
 #include "ext/standard/php_rand.h" /* for RAND_MAX */
 #include "ext/standard/info.h"
 #include "ext/standard/php_smart_str.h"
+#include "ext/standard/url.h"

 #include "mod_files.h"
 #include "mod_user.h"

Revision history for this message
Kees Cook (kees) wrote :

Excellent work tracking this down! I will get the new version compiled and published.

Changed in php5:
assignee: nobody → keescook
importance: Undecided → High
Revision history for this message
Kees Cook (kees) wrote :

I have not been able to reproduce this problem still. My configuration is:

 - php5-cgi in use via mod_actions
 - phpmyadmin installed with default apache.conf Included in default site config

I have been logging in and out of phpmyadmin without any crashes yet. How is your system configured?

Revision history for this message
Malcolm Scott (malcscott) wrote :

My configuration is essentially the same as yours (I removed the Alias line from /etc/phpmyadmin/apache.conf and used a symlink instead, but I doubt that affects the bug). What arch are you using -- perhaps the bug only manifests itself on amd64?

I did also find that certain things would cause the bug to disappear temporarily, e.g. I could not reproduce the bug running php5-cgi under gdb.

Revision history for this message
lamyseba (lamyseba) wrote :

Hi, I've got almost the same bug on amd64
Like it does for uwe, phpmyadmin crash on start page (wich is quite annoying)

Here is the kind of message in /var/log/apache2/error.log when trying to access phpmyadmin
[Sun Dec 02 13:25:46 2007] [notice] child pid 5622 exit signal Segmentation fault (11)
[Sun Dec 02 13:25:46 2007] [notice] child pid 5623 exit signal Segmentation fault (11)
[Sun Dec 02 13:25:46 2007] [notice] child pid 5624 exit signal Segmentation fault (11)

Downgrading to php5 5.2.3-1ubuntu6 solved the problem, but was quiet difficult as I'm just a newbie

I did reinstall full apache, but do not believe this is necessary. I think the following lines are enough to downgrade:

sudo apt-get autoremove php5-common
sudo apt-get install php5-common=5.2.3-1ubuntu6
sudo apt-get install libapache2-mod-php5=5.2.3-1ubuntu6
sudo apt-get install php5-mysql=5.2.3-1ubuntu6

sudo /etc/init.d/apache2 restart

As you can see, I did not install php5-cgi, so I think the bug is not due to this package. But I think you should reinstall any package linked to php5-common with the =5.2.3-1ubuntu6 option to downgrade and get rid of any bug that appeared with this recent upgrade.
I think this bug only occurs with 64 bit version, since it was not reported by a lot of people, through very annoying for all of thoose using phpmyadmin.

I do not understand how to solve this without downgrading (self-compiling a package is beyond my scope), so I hope the patch will be available in very few time in adept updater.

Revision history for this message
Kees Cook (kees) wrote :

I've finally been able to reproduce this issue. I will be testing the fixes shortly.

Revision history for this message
Kees Cook (kees) wrote :

Confirmed that the proposed change fixes the segfaults. Additionally, this only affects Gutsy, not Dapper, Edgy, Feisty. Thanks again for hunting down the problem! This has been uploaded to the security queue and should be published shortly.

Changed in php5:
status: Confirmed → Fix Committed
Revision history for this message
uwe (uwe-walter) wrote :

@Malcolm and @Kees.

Great job!!! Thank you very much, now I can go on working.

Greetz from Gemany.

Revision history for this message
Kees Cook (kees) wrote :
Changed in php5:
status: Fix Committed → Fix Released
Revision history for this message
Sampo Niskanen (sampo-niskanen) wrote :

I'm sorry to inform you that the current patch (5.2.3-1ubuntu6.2) does not fix segfaults for me.

I have several wikis running on a single phpwiki installation, for several years now. Immediately after upgrading to Gutsy they stopped working, and every access to any of their pages causes a line in /var/log/apache/error.log:

[Tue Dec 04 09:47:13 2007] [notice] child pid 16077 exit signal Segmentation fault (11)

I was excited to see the update this morning, but it didn't fix anything. (I've also tried manually restarting apache without avail.) There is no relevant data in /var/crash. On the other hand, I do have an installation of Mediawiki which has worked fine also after the upgrade to Gutsy.

(I don't think it's related, but after the upgrade apache would not at first start at all, because /etc/apache2/mods-available/php4.load was trying to load php4 modules that didn't exist. Removing the files /etc/apache2/*/php4* fixed this problem.)

Revision history for this message
Hugues Fournier (hugues-fournier) wrote :

This problem probably affects too every other versions from Dapper to Feisty (even I have no evidence of that on one of my Feisty server) as the header is absent from the session.c of each other Ubuntu release.

Revision history for this message
Hugues Fournier (hugues-fournier) wrote :

Sorry I had not seen Kees ' comment (comment #15). Sorry too for the noise..

Revision history for this message
Kees Cook (kees) wrote :

Sampo, please open a new bug... something else must be going on since the originally reported problem seems to be fixed at least for some people. I'm worried about your report since you mentioned you had php4 installed which isn't possible in gutsy -- it was removed in Feisty. Are other parts of your php configuration significantly changed compared to a base install? (Please discuss that in the new bug report...) Thanks! We'll try to get to the bottom of this. :)

Revision history for this message
tompasto (tompasto) wrote :

Hi i have the same problem since i've done update of libapache2-mod-php5_5.2.1-0ubuntu1.5_amd64 (also update php5 and php5_cli).

I'm using 7.04 x86 distib on LAMP server mode.

I have segment fault in few applications (coming time to time ...).

I didn't find any release to fix this bug in this version. Do i have to force install the 5.2.3-1ubuntu6.1 version ??

How can i rollback the upgrade ?

Please HELP !

Revision history for this message
Sampo Niskanen (sampo-niskanen) wrote :

Actually, after searching the php bugs, I believe my segfault is that of bug #165247 since my phpwiki installation uses db4 for storage.

The php4-mixup is probably caused by some faulty installation script not removing the config files and not related to the current issue.

Revision history for this message
Kees Cook (kees) wrote :

For anyone still experiencing problems, please see bug 173817 and bug 165247. Further information (such as backtraces, steps to reproduce, etc) is needed in 173817.. Note that 165247's testcase crashes both with 5.2.3-1ubuntu6 and 5.2.3-1ubuntu6.2.

Revision history for this message
tompasto (tompasto) wrote :

Ok the problem was fix with an upgrade from 7.04 to 7.10 x64 server version.
In ver. 7.10 the patch were available.

For now everything work fine.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.