canary mismatch on efree()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Binary package hint: php5
After spending some time researching this, I realize the root cause may not be in php itself (but might), but not knowing the root cause, I am reporting it here.
Environment: Ubuntu 8.04, PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch 0.9.6.2 , suhosin, xcache, xdebug, mysql, gd, curl, ffmpeg, cli. The server runs several vhosted sites. The problem occurs consistently on one line of one site only. The site in question runs Drupal, and the error is triggered by the Drupal webforms module (at the same line every time) upon a form submission.
Symptoms: After several days (3 to 14 days), the following error is reported:
Jan 4 22:07:14 Garth suhosin[25113]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.120', file '/raid/
Jan 4 22:07:15 Garth suhosin[25116]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.120', file '/raid/
Jan 4 22:11:47 Garth suhosin[25119]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '68.42.206.239', file '/raid/
Jan 4 22:11:47 Garth suhosin[25141]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '68.42.206.239', file '/raid/
Jan 4 22:21:57 Garth suhosin[25154]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.49', file '/raid/
Jan 4 22:21:58 Garth suhosin[25139]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.49', file '/raid/
etc, etc.
At always the exact same line number. At this point, anybody submitting any form on the site in question will trigger the error. Forms are an important aspect of the site, and this is breaking that functionality as none of the forms work as expected. Restarting Apache temporarily solves/works around the problem.
Line 2201, that triggers the error: return $strict ? filter_xss($string) : $string;
The filter_xss() Drupal function that is referenced:
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!drupal_
return '';
}
// Store the input format
_filter_
// Remove NUL characters (ignored by some browsers)
$string = str_replace(chr(0), '', $string);
// Remove Netscape 4 JS entities
$string = preg_replace(
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
// Named entities
$string = preg_replace(
// Decimal numeric entities
$string = preg_replace(
// Hexadecimal numeric entities
$string = preg_replace(
return preg_replace_
(
<(?
| # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', '_filter_
}
This same site was moved from another Ubuntu 8.04 server with a very similar environment, and in almost 1 year, this error never occurred there.
# apt-cache policy php5
php5:
Installed: 5.2.4-2ubuntu5.9
Candidate: 5.2.4-2ubuntu5.9
Version table:
*** 5.2.4-2ubuntu5.9 0
500 http://
500 http://
100 /var/lib/
5.2.4-2ubuntu5 0
500 http://
# php -v
PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch 0.9.6.2 (cli) (built: Nov 26 2009 14:00:44)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Xdebug v2.0.2, Copyright (c) 2002-2007, by Derick Rethans
with Suhosin v0.9.22, Copyright (c) 2007, by SektionEins GmbH
# lsb_release -rd
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Is there a difference in the architecture? There are some bugs in PHP triggered by 64-bit (amd64) arch.