Bug#730051: libapache2-mod-php5: Segfault after PDO memory corruption, possibly Apache-related?

Will Aoki Wed, 20 Nov 2013 10:33:32 -0800

Package: libapache2-mod-php5
Version: 5.4.4-14+deb7u5
Severity: normal

I am unsure as to whether this bug should be filed against PHP or Apache, so I
flipped a coin and filed this against PHP.


After upgrading from squeeze to wheezy, a particular script has started causing
segfaults, but only when it retrieves a particular database record. I have not
yet succeeded at constructing a test case that does not contain private data
and a giant chunk of legacy code.

The segfaults are happening in functions called from PDO's free_statement. The
script uses PDO to connect to a Microsoft SQL Server database.

Findings:

- The crash only happens for me when Apache's mod_deflate is enabled. The crash
  does not happen with the command-line PHP interpreter and does not seem to
  occur when I hit the site over SSL.

- Although I haven't conducted an exhaustive search, the crash only seems to
  happen with a particular database record. I can see nothing unusual about
  that record.

- Bug #696590 notwithstanding, the core dumps show crashing in simple functions
  called from free_statement. I expect that the actual cause of the problem
  lies elsewhere.

- If I delete this line from the script:

                <td><p>Special Notes:</p><textarea cols="80" rows="2" 
name="specialnotes"><?php echo htmlentities($specialnotes); ?></textarea></td>

  the crash stops happening. If I alter that line, even going so far as to
  delete all the PHP code on that line, the script still crashes, but if I
  delete that line, the script does not crash.

- If I look at stmt->columns in free_statement, there seems to be evidence of
  memory corruption.  See the GDB transcripts.


GDB session transcripts:

Partial GDB session with one core dump:

[...]
#0  zend_mm_remove_from_free_list (heap=0xb7b1d648, mm_block=0xb7dead14)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:833
#1  0xb59f4edf in _zend_mm_free_int (heap=0xb7b1d648, p=0xb7dead1c)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2101
#2  0xb690c816 in free_statement (stmt=0xb696bd68)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
#3  0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696bd68)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
#4  0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown 
type>,
    handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
#5  0xb5a470bf in zend_objects_store_del_ref (zobject=0xb5a1ce39)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:172
#6  0xb5a1ce39 in _zval_dtor_func (zvalue=0xb5a0e1cd)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.c:52
#7  0xb5a0e1cd in _zval_ptr_dtor (zval_ptr=0xb5a2aa86)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.h:35
#8  0xb5a2aa86 in zend_hash_apply_deleter ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:650
#9  0xb5a2c4b5 in zend_hash_reverse_apply (ht=0xb59f594b, apply_func=0)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:804
#10 0xb5a0e504 in shutdown_destructors ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_execute_API.c:217
#11 0xb5a1df9d in zend_call_destructors ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend.c:925
#12 0xb59b8235 in php_request_shutdown (dummy=0xb4a70fc8)
    at /build/php5-2buXwb/php5-5.4.4/main/main.c:1723
#13 0xb5ad0284 in php_handler (r=0x0)
    at /build/php5-2buXwb/php5-5.4.4/sapi/apache2handler/sapi_apache2.c:520
#14 0xb76e0656 in ap_run_handler (r=r@entry=0xb6135058) at config.c:159
#15 0xb76e0aa9 in ap_invoke_handler (r=r@entry=0xb6135058) at config.c:377
#16 0xb76f2d50 in ap_process_request (r=r@entry=0xb6135058) at 
http_request.c:282
#17 0xb76ef908 in ap_process_http_connection (c=0xb69241f0) at http_core.c:190
#18 0xb76e7b26 in ap_run_process_connection (c=0xb69241f0) at connection.c:43
#19 0xb76e7fd2 in ap_process_connection (c=c@entry=0xb69241f0, csd=0xb6924058)
    at connection.c:190
#20 0xb76f83c0 in child_main (child_num_arg=child_num_arg@entry=14) at 
prefork.c:667
#21 0xb76f8d13 in make_child (slot=14, s=<optimized out>) at prefork.c:768
#22 make_child (s=<optimized out>, slot=14) at prefork.c:696
#23 0xb76f9a4c in perform_idle_server_maintenance (p=<optimized out>)
    at prefork.c:903
#24 ap_mpm_run (_pconf=_pconf@entry=0xb767d018, plog=0xb73c6018,
    s=s@entry=0xb73f4880) at prefork.c:1107
#25 0xb76c96a4 in main (argc=3, argv=0xbfe10214) at main.c:755
(gdb) frame 2
#2  0xb690c816 in free_statement (stmt=0xb696bd68)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
2400    /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or 
directory.
(gdb) print stmt
$1 = (pdo_stmt_t *) 0xb696bd68
[...]
(gdb) print i
$4 = 14
(gdb) print stmt->column_count
$5 = 67
(gdb) print cols[14].name
No symbol "cols" in current context.
(gdb) print stmt->columns[14].name
$6 = 0xb7dead1c "City"
(gdb) ^Z
[...]
(gdb) print stmt->columns[13].name
$9 = 0x0
(gdb) print stmt->columns[16].name
$10 = 0xb7deb60c "Zip"
(gdb) print stmt->columns[15].name
$11 = 0xb7deb194 "Stat\024\247\336\267"
(gdb) print stmt->columns[14].name
$12 = 0xb7dead1c "City"
(gdb) ^Z
[...]
$13 = 0xb7dead1c "City"
(gdb) print stmt->columns[15].name
$14 = 0xb7deb194 "Stat\024\247\336\267"







GDB session with another core dump:

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/apache2...Reading symbols from 
/usr/lib/debug/usr/sbin/apache2-mpm-prefork...done.
done.

warning: core file may not match specified executable file.
[New LWP 23418]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

warning: the debug information found in 
"/usr/lib/debug//usr/lib/php5/20100525+lfs/mysql.so" does not match 
"/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in 
"/usr/lib/debug/usr/lib/php5/20100525+lfs/mysql.so" does not match 
"/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in 
"/usr/lib/debug//usr/lib/php5/20100525+lfs/mysqli.so" does not match 
"/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in 
"/usr/lib/debug/usr/lib/php5/20100525+lfs/mysqli.so" does not match 
"/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in 
"/usr/lib/debug//usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match 
"/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).


warning: the debug information found in 
"/usr/lib/debug/usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match 
"/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0xb7b1d648, p=0xb7c815dc)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2100
2100    /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c: No such file or 
directory.
(gdb) bt
#0  _zend_mm_free_int (heap=0xb7b1d648, p=0xb7c815dc)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2100
#1  0xb690c816 in free_statement (stmt=0xb696c044)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
#2  0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
#3  0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown 
type>,
    handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
#4  0xb5a470bf in zend_objects_store_del_ref (zobject=0xb5a1ce39)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:172
#5  0xb5a1ce39 in _zval_dtor_func (zvalue=0xb5a0e1cd)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.c:52
#6  0xb5a0e1cd in _zval_ptr_dtor (zval_ptr=0xb5a2aa86)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.h:35
#7  0xb5a2aa86 in zend_hash_apply_deleter ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:650
#8  0xb5a2c4b5 in zend_hash_reverse_apply (ht=0xb59f594b, apply_func=0)
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:804
#9  0xb5a0e504 in shutdown_destructors ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend_execute_API.c:217
#10 0xb5a1df9d in zend_call_destructors ()
    at /build/php5-2buXwb/php5-5.4.4/Zend/zend.c:925
#11 0xb59b8235 in php_request_shutdown (dummy=0xb60cffc8)
    at /build/php5-2buXwb/php5-5.4.4/main/main.c:1723
#12 0xb5ad0284 in php_handler (r=0x0)
    at /build/php5-2buXwb/php5-5.4.4/sapi/apache2handler/sapi_apache2.c:520
#13 0xb76e0656 in ap_run_handler (r=r@entry=0xb68e8058) at config.c:159
#14 0xb76e0aa9 in ap_invoke_handler (r=r@entry=0xb68e8058) at config.c:377
#15 0xb76f2d50 in ap_process_request (r=r@entry=0xb68e8058) at 
http_request.c:282
#16 0xb76ef908 in ap_process_http_connection (c=0xb69241f0) at http_core.c:190
#17 0xb76e7b26 in ap_run_process_connection (c=0xb69241f0) at connection.c:43
#18 0xb76e7fd2 in ap_process_connection (c=c@entry=0xb69241f0, csd=0xb6924058)
    at connection.c:190
#19 0xb76f83c0 in child_main (child_num_arg=child_num_arg@entry=0) at 
prefork.c:667
#20 0xb76f8d13 in make_child (slot=0, s=<optimized out>) at prefork.c:768
#21 make_child (s=<optimized out>, slot=0) at prefork.c:696
#22 0xb76f8ded in startup_children (number_to_start=number_to_start@entry=5)
    at prefork.c:786
#23 0xb76f99f5 in ap_mpm_run (_pconf=_pconf@entry=0xb767d018, plog=0xb73c6018,
    s=s@entry=0xb73f4880) at prefork.c:1007
#24 0xb76c96a4 in main (argc=3, argv=0xbfe10214) at main.c:755
(gdb) frame 2
#2  0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
2437    /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or 
directory.
(gdb) print i
$1 = -1075775084
(gdb) up
#3  0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown 
type>,
    handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
220     /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c: No such file or 
directory.
(gdb) down
#2  0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
2437    /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or 
directory.
(gdb) down
#1  0xb690c816 in free_statement (stmt=0xb696c044)
    at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
2400    in /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c
(gdb) print i
$2 = 5
(gdb) print stmt->columns[5].name
$3 = 0xb7c815dc "\n", ' ' <repeats 12 times>, "<tr>\n", ' ' <repeats 16 times>, 
"<th  align=\"right\">Today is 11/19/2013</th>\n", ' ' <repeats 12 times>, 
"</tr><tr>\n", ' ' <repeats 16 times>, "<td>Reference Number: 6305</td>\n", ' ' 
<repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td>&nbsp;</td"...
(gdb) print stmt->columns[4].name
$4 = 0x0
(gdb) print stmt->columns[5].name
$5 = 0xb7c815dc "\n", ' ' <repeats 12 times>, "<tr>\n", ' ' <repeats 16 times>, 
"<th  align=\"right\">Today is 11/19/2013</th>\n", ' ' <repeats 12 times>, 
"</tr><tr>\n", ' ' <repeats 16 times>, "<td>Reference Number: 6305</td>\n", ' ' 
<repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td>&nbsp;</td"...
(gdb) print stmt->columns[6].name
$6 = 0xb7c81a54 "Request</option><option 
value=\"6FDEDBF5-07BD-4CCE-93F5-7DEB825CE15F\">Suspended</option><option 
value=\"C25B79CC-BFAA-4931-BF39-A04144FDD00F\">Waiting 
List</option></select><br/>", ' ' <repeats 16 times>, "</td>\n   "...
(gdb)

End of GDB transcripts.


-- System Information:
Debian Release: 7.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-prefork  2.2.22-13
ii  apache2.2-common     2.2.22-13
ii  libbz2-1.0           1.0.6-4
ii  libc6                2.13-38
ii  libcomerr2           1.42.5-1.1
ii  libdb5.1             5.1.29-5
ii  libgssapi-krb5-2     1.10.1+dfsg-5+deb7u1
ii  libk5crypto3         1.10.1+dfsg-5+deb7u1
ii  libkrb5-3            1.10.1+dfsg-5+deb7u1
ii  libmagic1            5.11-2
ii  libonig2             5.9.1-1
ii  libpcre3             1:8.30-5
ii  libqdbm14            1.8.78-2
ii  libssl1.0.0          1.0.1e-2
ii  libstdc++6           4.7.2-5
ii  libxml2              2.8.0+dfsg1-7+nmu2
ii  mime-support         3.52-1
ii  php5-common          5.4.4-14+deb7u5
ii  tzdata               2013d-0wheezy1
ii  ucf                  3.0025+nmu3
ii  zlib1g               1:1.2.7.dfsg-13

Versions of packages libapache2-mod-php5 recommends:
ii  php5-cli  5.4.4-14+deb7u5

Versions of packages libapache2-mod-php5 suggests:
pn  php-pear  <none>

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#730051: libapache2-mod-php5: Segfault after PDO memory corruption, possibly Apache-related?

Reply via email to