[php-maint] Bug#543177: php5 segfault in php_realpath

Raoul Bhatia [IPAX] r.bhatia at ipax.at
Fri Sep 18 08:51:25 UTC 2009


hi,

i can confirm this bug and too see segfaults using php5-cli:

a sample backtrace. 3 of 4 segfaults that occoured in the last 16 hours
have been within php_realpath. the remaining one was in T1_CloseLib ()
from /usr/lib/libt1.so.5 while calling the zm_shutdown_gd at
/tmp/buildd/php5-5.2.6.dfsg.1/ext/gd/gd.c:1225

(i do not know if the "gd segfault" is related, so i post this info in
here anyways).

> (gdb) thread apply all bt full
> 
> Thread 1 (process 5301):
> #0  php_realpath (path=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf", resolved=Cannot access memory at address 0x7fff07774688
> ) at /tmp/buildd/php5-5.2.6.dfsg.1/TSRM/tsrm_virtual_cwd.c:278
>         sb = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {
>     tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0}, __unused = {0, 0, 0}}
>         s = 0x0
>         left_len = 125303008
>         resolved_len = 125282368
>         symlinks = Cannot access memory at address 0x7fff0777469c
> (gdb) bt
> #0  php_realpath (path=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf", resolved=Cannot access memory at address 0x7fff07774688
> ) at /tmp/buildd/php5-5.2.6.dfsg.1/TSRM/tsrm_virtual_cwd.c:278
> #1  0x0000000000621158 in virtual_file_ex (state=0x7fff0777a840, path=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf", verify_path=0x100000000, use_realpath=0)
>     at /tmp/buildd/php5-5.2.6.dfsg.1/TSRM/tsrm_virtual_cwd.c:732
> #2  0x00000000006293f3 in expand_filepath (filepath=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf", real_path=0x7fff0777e890 "")
>     at /tmp/buildd/php5-5.2.6.dfsg.1/main/fopen_wrappers.c:667
> #3  0x0000000000629a58 in php_check_specific_open_basedir (basedir=0x1b4ba80 "/usr/share/php/", path=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf")
>     at /tmp/buildd/php5-5.2.6.dfsg.1/main/fopen_wrappers.c:112
> #4  0x0000000000629dc9 in php_check_open_basedir_ex (path=0x7fff0777f8e0 "/data/www/k000535/web/animationsplanet.com/typo3conf", warn=32767) at /tmp/buildd/php5-5.2.6.dfsg.1/main/fopen_wrappers.c:261
> #5  0x00000000005b7b7d in php_stat (filename=0x1b4c098 "/data/www/k000535/web/animationsplanet.com/typo3conf/", filename_length=125270000, type=13, return_value=0x1b540a0)
>     at /tmp/buildd/php5-5.2.6.dfsg.1/ext/standard/filestat.c:753
> #6  0x00000000005b8884 in zif_is_dir (ht=125303008, return_value=0x1b540a0, return_value_ptr=0xfefefeff656d6e62, this_ptr=0x0, return_value_used=0)
>     at /tmp/buildd/php5-5.2.6.dfsg.1/ext/standard/filestat.c:1073
> #7  0x00000000006a0f4d in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff07788f60) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:200
> #8  0x000000000068c484 in execute (op_array=0x1b4cc98) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
> #9  0x0000000000691a2b in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0x7fff07789b40) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:4612
> #10 0x000000000068c484 in execute (op_array=0x1b4bb90) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
> #11 0x00000000006682c8 in zend_execute_scripts (type=32767, retval=0x0, file_count=125344872) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:1215
> #12 0x0000000000622b88 in php_execute_script (primary_file=Cannot access memory at address 0x800007788bd0
> ) at /tmp/buildd/php5-5.2.6.dfsg.1/main/main.c:2028
> #13 0x00000000006e04bd in main (argc=125363208, argv=0x7fff0778c000) at /tmp/buildd/php5-5.2.6.dfsg.1/sapi/cgi/cgi_main.c:1954
> (gdb) quit

i run apache2 + suphp + safemode off:
> ii  apache2                    2.2.9-10+lenny4        Apache HTTP Server metapackage
> ii  apache2-mpm-worker         2.2.9-10+lenny4        Apache HTTP Server - high speed threaded mod
> ii  apache2-utils              2.2.9-10+lenny4        utility programs for webservers
> ii  apache2.2-common           2.2.9-10+lenny4        Apache HTTP Server common files
> ii  libapache2-mod-auth-mysql  4.3.9-11               Apache 2 module for MySQL authentication
> ii  libapache2-mod-rpaf        0.5-3                  module for Apache2 which takes the last IP f
> ii  libapache2-mod-suphp       0.6.2-3                Apache2 module to run php scripts with the o
> ii  php-pear                   5.2.6.dfsg.1-1+lenny3  PEAR - PHP Extension and Application Reposit
> ii  php5-adodb                 5.04-3                        Extension optimising ADOdb database abstract
> ii  php5-cgi                   5.2.6.dfsg.1-1+lenny3  server-side, HTML-embedded scripting languag
> ii  php5-cli                   5.2.6.dfsg.1-1+lenny3  command-line interpreter for the php5 script
> ii  php5-common                5.2.6.dfsg.1-1+lenny3  Common files for packages built from the php
> ii  php5-curl                  5.2.6.dfsg.1-1+lenny3  CURL module for php5
> ii  php5-dbg                   5.2.6.dfsg.1-1+lenny3  Debug symbols for PHP5
> ii  php5-gd                    5.2.6.dfsg.1-1+lenny3  GD module for php5
> ii  php5-imagick               2.1.1RC1-1                    ImageMagick module for php5
> ii  php5-imap                  5.2.6.dfsg.1-1+lenny3  IMAP module for php5
> ii  php5-mcrypt                5.2.6.dfsg.1-1+lenny3  MCrypt module for php5
> ii  php5-mysql                 5.2.6.dfsg.1-1+lenny3  MySQL module for php5
> ii  php5-sqlite                5.2.6.dfsg.1-1+lenny3  SQLite module for php5
> ii  suphp-common               0.6.2-3                Common files for mod suphp

php.ini changes i made:
> --- php.ini.old     2009-03-05 15:47:06.000000000 +0100
> +++ php.ini 2009-08-18 16:38:04.000000000 +0200
> @@ -1,4 +1,5 @@
>  [PHP]
> +; IPAX
>  
>  ;;;;;;;;;;;
>  ; WARNING ;
> @@ -215,7 +216,7 @@
>  ;
>  
>  ;open_basedir =
> -open_basedir = 
> +open_basedir = /usr/share/php/:/data/www/k000535/tmp/:/data/www/k000535/:/usr/bin/:/bin:/usr/local/bin:/usr/share/fonts/truetype/
>  
>  ; This directive allows you to disable certain functions for security reasons.
>  ; It receives a comma-delimited list of function names. This directive is
> @@ -268,7 +269,7 @@
>  max_execution_time = 30     ; Maximum execution time of each script, in seconds
>  max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
>  ;max_input_nesting_level = 64 ; Maximum input variable nesting level
> -memory_limit = 32M      ; Maximum amount of memory a script may consume (32MB)
> +memory_limit = 48M      ; Maximum amount of memory a script may consume (48MB)
>  
>  
>  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> @@ -561,6 +562,7 @@
>  ; Temporary directory for HTTP uploaded files (will use system default if not
>  ; specified).
>  ;upload_tmp_dir =
> +upload_tmp_dir = /data/www/k000535/tmp/
>  
>  ; Maximum allowed size for uploaded files.
>  upload_max_filesize = 64M
> @@ -956,6 +958,7 @@
>  ; where MODE is the octal representation of the mode. Note that this
>  ; does not overwrite the process's umask.
>  ;session.save_path = /var/lib/php5
> +session.save_path = /data/www/k000535/tmp/
>  
>  ; Whether to use cookies.
>  session.use_cookies = 1
> @@ -1244,7 +1247,7 @@
>  ; Enables or disables WSDL caching feature.
>  soap.wsdl_cache_enabled=1
>  ; Sets the directory name where SOAP extension will put cache files.
> -soap.wsdl_cache_dir="/tmp"
> +soap.wsdl_cache_dir="/data/www/k000535/tmp/"
>  ; (time to live) Sets the number of second while cached file will be used 
>  ; instead of original one.
>  soap.wsdl_cache_ttl=86400

cheers,
raoul
-- 
____________________________________________________________________
DI (FH) Raoul Bhatia M.Sc.          email.          r.bhatia at ipax.at
Technischer Leiter

IPAX - Aloy Bhatia Hava OEG         web.          http://www.ipax.at
Barawitzkagasse 10/2/2/11           email.            office at ipax.at
1190 Wien                           tel.               +43 1 3670030
FN 277995t HG Wien                  fax.            +43 1 3670030 15
____________________________________________________________________





More information about the pkg-php-maint mailing list