zend_map_ptr opcache-less php8.1-fpm memory leak
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php8.1 (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Jammy |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Kinetic |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Lunar |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
[ Impact ]
When opcache is off, php-fpm stores references to interned strings for class names in a map for every request. During the request clean-up phase, these strings and their references are cleaned up, but the map pointer is not reset. The map keeps getting larger as more class names are interned, resulting in high memory consumption (leakage) when too many classes are declared, given the php-fpm service runs for long periods (which should be expected).
[ Test plan ]
Set up php-fpm with opcache turned off:
# apt update && apt install -y php-fpm php apache2 php-ds
# a2enmod proxy_fcgi proxy
set /etc/apache2/
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html>
Options -Indexes +FollowSymLinks +MultiViews
Require all granted
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:
</FilesMatch>
ErrorLog ${APACHE_
CustomLog ${APACHE_
</VirtualHost>
Edit /etc/php/
opcache.enable=0
Restart the services
# systemctl restart apache2
# systemctl restart php8.1-fpm
Then, set a test page with
# echo '<?php phpinfo(); ?>' > /var/www/
and browse to IP_ADDR/test.php to ensure we are running FPM and opcache is off (just search for the info in this page).
Now, create the following test script:
create /var/www/
<?php
$set = new \Ds\Set();
for($i=
$random = substr(
$class_name = "C" . $random;
if($set-
continue;
}
$set->
var_dump(
eval("class $class_name {};");
}
and start performing requests for that script (e.g.,
# while true; do curl -sS http://
)
In affected systems, you should see the memory allocated to the fpm process slowly increasing indefinitely. A simple way to verify memory consumption would be through htop (e.g., "htop -p PID" do track php-fpm)
[ Where problems could occur ]
The proposed fix calls "zend_map_
Moreover, a larger change is being applied to the test suite to account for the changes in the map ptr so the fix can be tested. If any of the patches in our current delta (or from debian) indirectly changes the map ptr during the test run, we may experience test flakiness, although this is unlikely.
Finally, see the "Other info" section bellow.
[ Other info ]
The upstream bug which resulted in the proposed fix (https:/
This fix may be incomplete and we may need a follow-up leakage fix in the near future (users may continue to experience memory leakage).
[ Original message ]
The PHP-Team fixed an memory leak issue in the newest version: https:/
Changelog: https:/
Is it possible to get the fix also in the current supported php-fpm versions?
Related branches
- Canonical Server Reporter: Pending requested
-
Diff: 3205 lines (+2921/-0) (has conflicts)23 files modifieddebian/changelog (+146/-0)
debian/patches/0046-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/0047-Update-gcc-func-attr-macro.patch (+29/-0)
debian/patches/0048-Clear-recorded-errors-before-executing-shutdown-func.patch (+461/-0)
debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch (+64/-0)
debian/patches/CVE-2021-21708.patch (+49/-0)
debian/patches/CVE-2022-31625.patch (+70/-0)
debian/patches/CVE-2022-31626.patch (+21/-0)
debian/patches/CVE-2022-31627.patch (+353/-0)
debian/patches/CVE-2022-31628-1.patch (+92/-0)
debian/patches/CVE-2022-31628-2.patch (+54/-0)
debian/patches/CVE-2022-31629.patch (+74/-0)
debian/patches/CVE-2022-31630.patch (+69/-0)
debian/patches/CVE-2022-37454.patch (+142/-0)
debian/patches/CVE-2023-0662-1.patch (+58/-0)
debian/patches/CVE-2023-3247-1.patch (+79/-0)
debian/patches/CVE-2023-3247-2.patch (+21/-0)
debian/patches/CVE-2023-3823.patch (+552/-0)
debian/patches/CVE-2023-3824.patch (+83/-0)
debian/patches/fix-attribute-instantion-dangling-pointer.patch (+115/-0)
debian/patches/fix-attribute-instantion-memory-overflow-recovery.patch (+88/-0)
debian/patches/fix-map-ptr-mem-leak.patch (+199/-0)
debian/patches/series (+26/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 229 lines (+207/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-map-ptr-mem-leak.patch (+199/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 229 lines (+207/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-map-ptr-mem-leak.patch (+199/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 247 lines (+225/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-map-ptr-mem-leak.patch (+217/-0)
debian/patches/series (+1/-0)
CVE References
summary: |
- Memory leak in 8.1.x < 8.1.18 + Memory leak in php-fpm 8.1.x < 8.1.18 |
description: | updated |
Changed in php8.1 (Ubuntu Jammy): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in php8.1 (Ubuntu Kinetic): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in php8.1 (Ubuntu Lunar): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in php8.1 (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in php8.1 (Ubuntu Kinetic): | |
status: | New → Triaged |
Changed in php8.1 (Ubuntu Lunar): | |
status: | New → Triaged |
Changed in php8.1 (Ubuntu): | |
status: | In Progress → Fix Released |
description: | updated |
summary: |
- Memory leak in php-fpm 8.1.x < 8.1.18 + zend_map_ptr opcache-less php8.1-fpm memory leak |
description: | updated |
description: | updated |
description: | updated |
Hi Patrick,
thanks for reporting this one.
Would you also be able to provide a reproducer? It would be nice to understand how exactly we are affected since Ubuntu's PHP does not use the regular PHP GC (it uses a cron job. LP: #1772915 has more context on it).
Upstream bug: https:/ /github. com/php/ php-src/ issues/ 8646 /github. com/php/ php-src/ pull/10783 /github. com/php/ php-src/ commit/ ff62d117a355096 99f8bac8b0750a9 56914da1b7
Upstream fix PR: https:/
Actual fix: https:/