[php-maint] Bug#481737: Bug#481737: Bug#481737: PHP 5.2.6 with suhosin 0.9.6.2 causes bus errors

sean finney seanius at debian.org
Tue Jul 1 06:34:47 UTC 2008


hi everyone,

i just ran a build last night with the modified patch, which unfortunately 
failed.  *however*, it failed later than before, and looking at the crash it 
looks like there's at least a third place where unaligned access is 
occurring:

(gdb) run
Starting program: /home/seanius/php5-5.2.6/cgi-build/sapi/cli/php 
[Thread debugging using libthread_db enabled]
[New Thread 0xf7f92f60 (LWP 31508)]

Program received signal SIGBUS, Bus error.
[Switching to Thread 0xf7f92f60 (LWP 31508)]
_zend_mm_free_int (heap=0x5085c0, p=0xf75c4030)
    at /home/seanius/php5-5.2.6/Zend/zend_alloc.c:2018
2018        SUHOSIN_MM_CHECK_CANARIES(mm_block, "efree()");

and the relevant code:

+# define SUHOSIN_MM_CHECK_CANARIES(block, MFUNCTION) do { \
+        size_t *p = SUHOSIN_MM_END_CANARY_PTR(block), check; \
+               if (((block)->info.canary_1 != heap->canary_1) || 
((block)->info
.canary_2 != heap->canary_2)) { \
+                       canary_mismatch: \
+            zend_suhosin_log(S_MEMORY, "canary mismatch on " MFUNCTION " - 
heap
 overflow detected"); \
+            exit(1); \
+               } \
+        memcpy(&check, p, CANARY_SIZE); \

so in other words a char* from the previously modified macro is being assigned 
to the size_t *p, which is then possibly not aligned and passed to memcpy.  
i'll try changing these to a char * too and see if it makes any difference.


br,
	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20080701/f8fbbdd1/attachment-0001.pgp 


More information about the pkg-php-maint mailing list