segfaults from 5.2.4-2ubuntu5.15

Bug #776642 reported by pwolanin on 2011-05-03
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
High
Steve Beattie
Nominated for Dapper by Steve Beattie
Nominated for Hardy by Steve Beattie

Bug Description

Binary package hint: php5

After upgrading from 5.2.4-2ubuntu5.14 to 5.2.4-2ubuntu5.15 we are experiencing a segfault in PHP code that has been running fine for many months on Ubuntu 8.04.

Looking at the patches added to this release, my initial guess is that it relates to the backport of this fix: http://bugs.php.net/52879

The segfault occurs in this code:
http://drupalcode.org/project/apachesolr.git/blob/c41231e49f06ab32bb48f34c4a4dc0f21162321d:/apachesolr.index.inc

at line 150's function call.

The two adjacent function signatures are very similar:

function apachesolr_add_tags_to_document(&$document, $text) {
function apachesolr_add_taxonomy_to_document(&$document, $node) {

However, if I remove the & from the 2nd one, the segfault goes away:

function apachesolr_add_taxonomy_to_document($document, $node) {

The class of the $document object is this:

http://code.google.com/p/solr-php-client/source/browse/trunk/Apache/Solr/Document.php?r=15

And you'll note that it implements __get(), __set(), __isset(), and __unset()

pwolanin (pwolanin) wrote :

Attached is a reasonably minimal test file. You also need to have the Document.php file in the same directory:

svn export http://solr-php-client.googlecode.com/svn/trunk/Apache/Solr/Document.php@22

 running test.php is sufficient to cause a segfault.

# php --version
PHP 5.2.4-2ubuntu5.15 with Suhosin-Patch 0.9.6.2 (cli) (built: Apr 28 2011 14:41:00)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

# php test.php
Segmentation fault

# tail /var/log/syslog:

2011-05-03T19:43:55+00:00 kern.info web-50 kernel: [49000.621496] php[13034]: segfault at 29c200e1 rip 675326 rsp 7fff0ad7c9a0 error 4

Barry Jaspan (barry-jaspan) wrote :

I reduced this to a much smaller test case. The output of the attached script is:

# php test.php
18
20
32
Segmentation fault

This suggests the segfault is happening during the return from function add_taxonomy_to_document().

# uname -a
Linux web-98.bjaspan.hosting.acquia.com 2.6.24-10-xen #1 SMP Tue Sep 8 19:06:53 UTC 2009 i686 GNU/Linux
# php -v
PHP 5.2.4-2ubuntu5.15 with Suhosin-Patch 0.9.6.2 (cli) (built: Apr 28 2011 14:43:25)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Barry Jaspan (barry-jaspan) wrote :

We've confirmed this on a 32- and 64-bit Ubuntu 8.04 EC2 instance.

Barry Jaspan (barry-jaspan) wrote :

valgrind confirms the error and provides a stack trace:

# valgrind php test.php
... lots of uninitialized memory references reported here ...
18
20
32
==29381==
==29381== Invalid read of size 1
==29381== at 0x82E5B81: zend_objects_store_del_ref_by_handle (in /usr/bin/php5)
==29381== by 0x82E5D57: zend_objects_store_del_ref (in /usr/bin/php5)
==29381== by 0x82C6120: _zval_dtor_func (in /usr/bin/php5)
==29381== by 0x82B8FC7: _zval_ptr_dtor (in /usr/bin/php5)
==29381== by 0x82D1943: zend_hash_clean (in /usr/bin/php5)
==29381== by 0x82F69FE: (within /usr/bin/php5)
==29381== by 0x82E7957: execute (in /usr/bin/php5)
==29381== by 0x82C6522: zend_execute_scripts (in /usr/bin/php5)
==29381== by 0x827C20F: php_execute_script (in /usr/bin/php5)
==29381== by 0x8358D19: main (in /usr/bin/php5)
==29381== Address 0x739195d9 is not stack'd, malloc'd or (recently) free'd
==29381==
==29381== Process terminating with default action of signal 11 (SIGSEGV)
==29381== Access not within mapped region at address 0x739195D9
==29381== at 0x82E5B81: zend_objects_store_del_ref_by_handle (in /usr/bin/php5)
==29381== by 0x82E5D57: zend_objects_store_del_ref (in /usr/bin/php5)
==29381== by 0x82C6120: _zval_dtor_func (in /usr/bin/php5)
==29381== by 0x82B8FC7: _zval_ptr_dtor (in /usr/bin/php5)
==29381== by 0x82D1943: zend_hash_clean (in /usr/bin/php5)
==29381== by 0x82F69FE: (within /usr/bin/php5)
==29381== by 0x82E7957: execute (in /usr/bin/php5)
==29381== by 0x82C6522: zend_execute_scripts (in /usr/bin/php5)
==29381== by 0x827C20F: php_execute_script (in /usr/bin/php5)
==29381== by 0x8358D19: main (in /usr/bin/php5)
==29381==

Steve Beattie (sbeattie) wrote :

Thanks for reporting this bug and coming up with a nice, small test case to reproduce it. I've confirmed that it's an issue for 8.04 LTS and 6.06 LTS and I've pulled a patch from upstream's subversion (http://svn.php.net/viewvc?view=revision&revision=267423) that fixes the test case locally (attached).

I've uploaded a test package for 8.04 LTS based on this fix (and the one for bug 774452) to the security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/. I'd appreciate it someone could confirm that the package fixes it for the more complex situation code that triggered it initially.

Thanks for your patience and my apologies for introducing this regression.

Changed in php5 (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Steve Beattie (sbeattie)
dnmvisser (dnmvisser) wrote :

Hi

I just ran into this bug. In hindsight a serious issue that started 3 days ago with one of our web apps seems to also be caused by this.
Just tested Steve's patched packages (5.2.4-2ubuntu5.17~lp776642) on our dev server and I can confirm they fix the problems for us.
Eagerly awaiting official updates....

Thanks!!

Matteo Panella (mpanella) wrote :

Hi

I just hit this regression with an instance of prestashop (segfault in zend_object_store_get_object).
I'm currently testing the updated packages in security-proposed PPA and they seem to work fine for me as well.

pwolanin (pwolanin) wrote :

We installed the php5 from the PPA above on a test server, and I can confirm the segfault is no longer triggered by either of the test cases above, nor by the original code where we saw the error.

test server info:

# uname -a
Linux web-41 2.6.24-10-xen #1 SMP Tue Sep 8 18:30:05 UTC 2009 x86_64 GNU/Linux

# php -v
PHP 5.2.4-2ubuntu5.17~lp776642 with Suhosin-Patch 0.9.6.2 (cli) (built: May 4 2011 09:21:29)

dnmvisser (dnmvisser) wrote :

I just went back the the previous version.

Since I remove packages from /var/cache/apt after update, I had to dig them up online, from:
https://launchpad.net/~ubuntu-security/+archive/ppa/+buildjob/2165886

I downloaded these and installed them manually with dpkg:

https://launchpad.net/~ubuntu-security/+archive/ppa/+buildjob/2165886/+files/php5-common_5.2.4-2ubuntu5.14_i386.deb
https://launchpad.net/~ubuntu-security/+archive/ppa/+buildjob/2165886/+files/libapache2-mod-php5_5.2.4-2ubuntu5.14_i386.deb

At the moment apt has dependency problem because I did not download everything (php modules etc).
But I just postpone updating until the definitive fix is out.

I know that this is not the best way, but I did not know what exactly would happen if I install the proposed packages now, and then later want to remove them again...

Is there an ETA of an official release of this fix? Within 24 hours? Within a week?

We are trying to make plans as to whether or not to configure a temporary work around.

Thanks for the help,
Joey

Steve Beattie (sbeattie) wrote :

Joey: yes, I expect to release updated packages within the next 24 hours. Thanks.

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.17

---------------
php5 (5.2.4-2ubuntu5.17) hardy-security; urgency=low

  * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix
    mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
  * debian/patches/php5-CVE-2010-4697-regression.patch: fix regression
    in reference counting added by fix for CVE-2010-4697 (LP: #776642)
 -- Steve Beattie <email address hidden> Wed, 04 May 2011 01:45:03 -0700

Changed in php5 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers