[php-maint] Bug#481737: Bug#481737: Bug#481737: PHP 5.2.6 with suhosin 0.9.6.2 causes bus errors
sean finney
seanius at debian.org
Tue Jul 1 06:34:47 UTC 2008
hi everyone,
i just ran a build last night with the modified patch, which unfortunately
failed. *however*, it failed later than before, and looking at the crash it
looks like there's at least a third place where unaligned access is
occurring:
(gdb) run
Starting program: /home/seanius/php5-5.2.6/cgi-build/sapi/cli/php
[Thread debugging using libthread_db enabled]
[New Thread 0xf7f92f60 (LWP 31508)]
Program received signal SIGBUS, Bus error.
[Switching to Thread 0xf7f92f60 (LWP 31508)]
_zend_mm_free_int (heap=0x5085c0, p=0xf75c4030)
at /home/seanius/php5-5.2.6/Zend/zend_alloc.c:2018
2018 SUHOSIN_MM_CHECK_CANARIES(mm_block, "efree()");
and the relevant code:
+# define SUHOSIN_MM_CHECK_CANARIES(block, MFUNCTION) do { \
+ size_t *p = SUHOSIN_MM_END_CANARY_PTR(block), check; \
+ if (((block)->info.canary_1 != heap->canary_1) ||
((block)->info
.canary_2 != heap->canary_2)) { \
+ canary_mismatch: \
+ zend_suhosin_log(S_MEMORY, "canary mismatch on " MFUNCTION " -
heap
overflow detected"); \
+ exit(1); \
+ } \
+ memcpy(&check, p, CANARY_SIZE); \
so in other words a char* from the previously modified macro is being assigned
to the size_t *p, which is then possibly not aligned and passed to memcpy.
i'll try changing these to a char * too and see if it makes any difference.
br,
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20080701/f8fbbdd1/attachment-0001.pgp
More information about the pkg-php-maint
mailing list