Ubuntu

Segmentation fault in php5-sybase

Reported by Kurt Huwig on 2010-07-29
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: php5

I get a segmentation fault within php_mssql.c:

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f825deca3fc in php_mssql_do_connect (ht=0, return_value=0x7f8268cfa668, return_value_ptr=0x7fff004a36f8, this_ptr=0x7fff004a3700, return_value_used=4864176, persistent=0)
    at /build/buildd/php5-5.3.2/ext/mssql/php_mssql.c:590
590 /build/buildd/php5-5.3.2/ext/mssql/php_mssql.c: No such file or directory.
        in /build/buildd/php5-5.3.2/ext/mssql/php_mssql.c
(gdb) bt
#0 0x00007f825deca3fc in php_mssql_do_connect (ht=0, return_value=0x7f8268cfa668, return_value_ptr=0x7fff004a36f8, this_ptr=0x7fff004a3700, return_value_used=4864176, persistent=0)
    at /build/buildd/php5-5.3.2/ext/mssql/php_mssql.c:590
#1 0x00007f825decb8a6 in zif_mssql_select_db (ht=0, return_value=0x7f8268cfa668, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /build/buildd/php5-5.3.2/ext/mssql/php_mssql.c:870
#2 0x00007f826369ec7a in zend_do_fcall_common_helper_SPEC (execute_data=0x7f8268f61f80) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:313
#3 0x00007f8263675f60 in execute (op_array=0x7f82686ffde0) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
#4 0x00007f826364dc8d in zend_execute_scripts (type=32642, retval=0x7fff004a3b20, file_count=3) at /build/buildd/php5-5.3.2/Zend/zend.c:1266
#5 0x00007f82635f98f8 in php_execute_script (primary_file=0x7fff004a2c18) at /build/buildd/php5-5.3.2/main/main.c:2288
#6 0x00007f82636daf2d in php_handler (r=0x7f82636daf2d) at /build/buildd/php5-5.3.2/sapi/apache2handler/sapi_apache2.c:674
#7 0x00007f826749e140 in ap_run_handler (r=0x7f826872e1d8) at /build/buildd/apache2-2.2.14/server/config.c:159
#8 0x00007f82674a1aa8 in ap_invoke_handler (r=0x7f826872e1d8) at /build/buildd/apache2-2.2.14/server/config.c:373
#9 0x00007f82674af49c in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at /build/buildd/apache2-2.2.14/modules/http/http_request.c:501
#10 0x00007f8260c96c95 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#11 0x00007f826749e140 in ap_run_handler (r=0x7f826872bfc8) at /build/buildd/apache2-2.2.14/server/config.c:159
#12 0x00007f82674a1aa8 in ap_invoke_handler (r=0x7f826872bfc8) at /build/buildd/apache2-2.2.14/server/config.c:373
#13 0x00007f82674af678 in ap_process_request (r=0x7f826872bfc8) at /build/buildd/apache2-2.2.14/modules/http/http_request.c:282
#14 0x00007f82674ac528 in ap_process_http_connection (c=0x7f8268723f58) at /build/buildd/apache2-2.2.14/modules/http/http_core.c:190
#15 0x00007f82674a5cf8 in ap_run_process_connection (c=0x7f8268723f58) at /build/buildd/apache2-2.2.14/server/connection.c:43
#16 0x00007f82674b4037 in child_main (child_num_arg=<value optimized out>) at /build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:662
#17 0x00007f82674b434a in make_child (s=0x7f826832d938, slot=49) at /build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:758
#18 0x00007f82674b467b in startup_children (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:776
#19 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:997
#20 0x00007f826748a350 in main (argc=3, argv=0x7fff004a6598) at /build/buildd/apache2-2.2.14/server/main.c:742

I had to downgrade to 5.3.2-1ubuntu4 to be able to install the debug symbols due to bug #611305. But the segfault happens with 5.3.2-1ubuntu4.2 as well.

Clint Byrum (clint-fewbar) wrote :

Hi Kurt, thanks for another bug report and your continued interest in making Ubuntu great. :)

Is it possible that this is related to bug #602689 ? Is this on the same machine referenced there?

Is there a small snippet of PHP code we can use to test this?

Does it fail without actually connecting to a Sybase/MS SQL server? Its difficult to obtain access to one of these servers, so those two bits of information would be very helpful in determining the nature of this bug.

Marking Incomplete, please return to "New" status after providing more information.

Thanks!

Changed in php5 (Ubuntu):
status: New → Incomplete
Clint Byrum (clint-fewbar) wrote :

Hi Kurt, its been a little over a month. Any chance you've been able to look at this again?

Thanks.

Kurt Huwig (k-huwig) wrote :
Download full text (4.1 KiB)

Hi Clint,

I just put another 3 hours into it:

The bug happens in this source code line:

        if(passwd_len>255) {
                passwd[255] = '\0';
        }

of php_mssql_do_connect. I found this out by disassembling the code in the core dump:

Dump of assembler code for function php_mssql_do_connect:
   0x00007f1d4804c330 <+0>: push %r14
   0x00007f1d4804c332 <+2>: push %r13
   0x00007f1d4804c334 <+4>: push %r12
   0x00007f1d4804c336 <+6>: mov %r9d,%r12d
   0x00007f1d4804c339 <+9>: push %rbp
   0x00007f1d4804c33a <+10>: mov %edi,%ebp
   0x00007f1d4804c33c <+12>: push %rbx
   0x00007f1d4804c33d <+13>: mov %rsi,%rbx
   0x00007f1d4804c340 <+16>: lea 0x2ef8(%rip),%rsi # 0x7f1d4804f23f
   0x00007f1d4804c347 <+23>: sub $0xc0,%rsp
   0x00007f1d4804c34e <+30>: mov %fs:0x28,%rax
   0x00007f1d4804c357 <+39>: mov %rax,0xb8(%rsp)
   0x00007f1d4804c35f <+47>: xor %eax,%eax
   0x00007f1d4804c361 <+49>: lea 0x8f(%rsp),%rax
   0x00007f1d4804c369 <+57>: lea 0x88(%rsp),%rcx
   0x00007f1d4804c371 <+65>: lea 0x78(%rsp),%rdx
   0x00007f1d4804c376 <+70>: lea 0x84(%rsp),%r9
   0x00007f1d4804c37e <+78>: lea 0x70(%rsp),%r8
   0x00007f1d4804c383 <+83>: movq $0x0,0x78(%rsp)
   0x00007f1d4804c38c <+92>: mov %rax,0x10(%rsp)
   0x00007f1d4804c391 <+97>: lea 0x80(%rsp),%rax
   0x00007f1d4804c399 <+105>: movq $0x0,0x70(%rsp)
   0x00007f1d4804c3a2 <+114>: movq $0x0,0x68(%rsp)
   0x00007f1d4804c3ab <+123>: movb $0x0,0x8f(%rsp)
   0x00007f1d4804c3b3 <+131>: mov %rax,0x8(%rsp)
   0x00007f1d4804c3b8 <+136>: lea 0x68(%rsp),%rax
   0x00007f1d4804c3bd <+141>: mov %rax,(%rsp)
   0x00007f1d4804c3c1 <+145>: xor %eax,%eax
   0x00007f1d4804c3c3 <+147>: callq 0x7f1d4804a768 <zend_parse_parameters@plt>
   0x00007f1d4804c3c8 <+152>: cmp $0xffffffffffffffff,%eax
   0x00007f1d4804c3cb <+155>: je 0x7f1d4804c7b3 <php_mssql_do_connect+1155>
   0x00007f1d4804c3d1 <+161>: cmpl $0xff,0x88(%rsp)
   0x00007f1d4804c3dc <+172>: jle 0x7f1d4804c3ea <php_mssql_do_connect+186>
   0x00007f1d4804c3de <+174>: mov 0x78(%rsp),%rax
   0x00007f1d4804c3e3 <+179>: movb $0x0,0xff(%rax)
   0x00007f1d4804c3ea <+186>: cmpl $0xff,0x84(%rsp)
   0x00007f1d4804c3f5 <+197>: jle 0x7f1d4804c403 <php_mssql_do_connect+211>
   0x00007f1d4804c3f7 <+199>: mov 0x70(%rsp),%rax
   0x00007f1d4804c3fc <+204>: movb $0x0,0xff(%rax)
   0x00007f1d4804c403 <+211>: cmpl $0xff,0x80(%rsp)
   0x00007f1d4804c40e <+222>: jle 0x7f1d4804c41c <php_mssql_do_connect+236>
   0x00007f1d4804c410 <+224>: mov 0x68(%rsp),%rax
=> 0x00007f1d4804c415 <+229>: movb $0x0,0xff(%rax)
   0x00007f1d4804c41c <+236>: cmp $0x4,%ebp
   0x00007f1d4804c41f <+239>: jbe 0x7f1d4804c7e0 <php_mssql_do_connect+1200>
   0x00007f1d4804c425 <+245>: cmpq $0x0,0x60(%rsp)
   0x00007f1d4804c42b <+251>: lea 0x2e3a(%rip),%rdx # 0x7f1d4804f26c
   0x00007f1d4804c432 <+258>: je 0x7f1d4804c92f <php_mssql_do_connect+1535>
   0x00007f1d4804c438 <+264>: mov 0x206d2a(%rip),%edi # 0x7f1d48253168 <mssql_globals+104...

Read more...

Kurt Huwig (k-huwig) wrote :

Some side note: the debug symbols do not match the source code. According to the disassembly, the segfault happened in

/build/buildd/php5-5.3.2/ext/mssql/php_mssql.c:561

but gdb shows

/build/buildd/php5-5.3.2/ext/mssql/php_mssql.c:593

I will add this to Bug #611305

Dave Walker (davewalker) wrote :

Based on the comment #1 from Kurt - marking this triaged.

Changed in php5 (Ubuntu):
importance: Undecided → Medium
status: Incomplete → Triaged
Clint Byrum (clint-fewbar) wrote :

Kurt, great work!

I just tested this on maverick, and indeed, this produces the segfault, but it does it no matter what, if you skip any of the string parameters:

clint@ubuntu:~$ php -r 'mssql_connect("");'
Segmentation fault

In fact, this happens with a vanilla compiled PHP 5.3.3 as well:

This logic in php_mssql.c is actually pretty wrong:

        char *host = NULL, *user = NULL, *passwd = NULL;
        int host_len, user_len, passwd_len;
        zend_bool new_link = 0;
        char *hashed_details;
        int hashed_details_length;
        mssql_link mssql, *mssql_ptr;
        char buffer[40];

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sssb", &host, &host_len, &user, &user_len, &passwd, &passwd_len, &new_link) == FAILURE) {
                return;
        }

        /* Limit strings to 255 chars to prevent overflow issues in underlying libraries */
        if(host_len>255) {
                host[255] = '\0';
        }
        if(user_len>255) {
                user[255] = '\0';
        }
        if(passwd_len>255) {
                passwd[255] = '\0';
        }

zend_parse_args() won't modify the length or content if the variables aren't passed, so its trying to dereference a NULL pointer there, as host_len is still set to whatever random value might have been given to it.

I forwarded this upstream,

http://bugs.php.net/bug.php?id=52843

I included a patch there. Will submit a merge proposal as well.

Changed in php5 (Ubuntu):
assignee: nobody → Clint Byrum (clint-fewbar)
status: Triaged → In Progress
tags: added: patch-accepted-upstream
Kees Cook (kees) on 2010-12-06
Changed in php5 (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu11

---------------
php5 (5.3.3-1ubuntu11) natty; urgency=low

  * Add debian/patches/mssql-fix-segfault.patch: Fixes segfault on missing
    parameters for mssql. Upstream php bug #52843 and LP: #611316.
 -- Clint Byrum <email address hidden> Fri, 03 Dec 2010 23:45:19 -0800

Changed in php5 (Ubuntu):
status: Fix Committed → Fix Released
Clint Byrum (clint-fewbar) wrote :

Marking confirmed in Lucid and Maverick, as this affects php 5.3.3 unless it has this patch.

Changed in php5 (Ubuntu):
assignee: Clint Byrum (clint-fewbar) → nobody
Changed in php5 (Ubuntu Maverick):
status: New → Confirmed
Changed in php5 (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in php5 (Ubuntu Maverick):
importance: Undecided → Medium
no longer affects: php5 (Ubuntu Lucid)
no longer affects: php5 (Ubuntu Maverick)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.