segfault and apparent memory corruption in tsrm_virtual_cwd.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I have an utterly reproducible segfault with php5-fpm 5.5.9+dfsg-
Here are the top 4 backtrace frames. It looks to these relatively naive eyes like there's memory corruption in cwd, resolved_path, trypath, and actual_path.
This trace was generated with realpath cache disabled, opcache disabled, etc. I've attached a full gdb bt, and will attach a core file next.
#0 virtual_file_ex (state=
path_length = <optimized out>
start = <optimized out>
ll = <error reading variable ll (Cannot access memory at address 0x7fffe66605d4)>
t = <error reading variable t (Cannot access memory at address 0x7fffe66605d8)>
ret = <optimized out>
add_slash = <optimized out>
tmp = <optimized out>
#1 0x000000000068b3a4 in tsrm_realpath (path=path@
new_state = {cwd = 0x356fed0 "", cwd_length = 0}
cwd = '\000' <repeats 40 times>, "p\334IT\
#2 0x0000000000692e50 in php_resolve_path (filename=0x774d240 "/home/
trypath = "\260\375V\
ptr = <optimized out>
end = <optimized out>
p = <optimized out>
actual_path = 0x68b3e9 <tsrm_realpath+281> "H\211\
wrapper = <optimized out>
#3 0x000000000054c6e5 in phar_find_
try_len = 13289150
path = 0xcac6be <php_execute.
fname = <optimized out>
arch = 0x7f77c6f5dc48 " \334y"
entry = 0xcac6ba <php_function.
ret = 0x0
test = <optimized out>
arch_len = 0
entry_len = 0
fname_len = <optimized out>
ret_len = <optimized out>
phar = 0xcac6bc <php_execute.
#4 0x000000000079bb96 in ZEND_INCLUDE_
file_handle = {type = 25021472, filename = 0xcc91a0 <executor_globals> "", opened_path = 0x779e1f8 "", handle = {fd = 7984485, fp = 0x79d565 <zend_do_
opline = 0x7f77c6f5dfa8
information type: | Public → Public Security |
This is the core dump.