From: Operating system: Linux PHP version: 5.3.10 Package: FPM related Bug Type: Bug Bug description:FPM - memory corruption in request parsing code
Description: ------------ I've found a bug in FPM code. Sometimes the worker process segfaults. I spent some time debugging it and now I'm able to reproduce this bug. Following data was collected on Debian Linux with PHP packages from dotdeb (www.dotdeb.org). I can test this on other distro with PHP compiled from sources if needed. PHP version used here is PHP 5.3.6, but the bug is also present in 5.3.10. Configuration is simple, nginx redirects ^(.*)$ to /index.php/$1. The request looks like this: http://ttt/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php "ttt" is the vhost used for testing. The important things here are: exact size of query string, ".php" suffix. Next important thing is the freshness of php-fpm process. The process will always segfault when this request is the first request processed. Otherwise the process may survive the request - don't know whether it corrupts any data at affected pointer. Also I know that my nginx configuration is buggy - nginx should call just index.php - but PHP process shouldn't segfault in any case. php.ini that can be used to trigger the bug is the original php.ini-production with only one modification: cgi.fix_pathinfo = 1 Modules loaded seems to have no influence on the bug. ltrace from accepting the connection to crash: http://pastebin.com/UDuET7Sv strace (contains full dump of data received from socket): http://pastebin.com/b1Ad9AAh Backtrace (5.3.6): #0 _zend_hash_add_or_update (ht=0x1fe79e8, arKey=0xb45047 "SCRIPT_NAME", nKeyLength=12, pData=0x7fff8598f1f0, nDataSize=8, pDest=0x7fff8598ee78, flag=7648604) at /usr/src/php5/source/php5-5.3.6/Zend/zend_hash.c:418 #1 0x000000000074b55c in fcgi_putenv (req=0x7fff8598f1f0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x1fe9538 "") at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fastcgi.c:1096 #2 0x0000000000753bc7 in main (argc=33455768, argv=0x1fe8d60) at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fpm_main.c:1255 Backtrace (5.3.10): (gdb) bt #0 _zend_hash_add_or_update (ht=0x279fb08, arKey=0xb4c7cb "SCRIPT_NAME", nKeyLength=12, pData=0x7fff1bd33ac0, nDataSize=8, pDest=0x7fff1bd33758, flag=7664444) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:418 #1 0x000000000074f33c in fcgi_putenv (req=0x7fff1bd33ac0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x27a1560 "") at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fastcgi.c:1067 #2 0x0000000000759114 in main (argc=41549640, argv=0x27a0c90) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1189 Headers received by PHP process from nginx (extracted from strace dump): QUERY_STRING REQUEST_METHOD GET CONTENT_TYPE CONTENT_LENGTH SCRIPT_NAME /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php REQUEST_URI /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php DOCUMENT_URI /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php DOCUMENT_ROOT /tmp/ttt SERVER_PROTOCOL HTTP/1.1 HTTPS off GATEWAY_INTERFACE CGI/1.1 SERVER_SOFTWARE nginx/1.0.12 REMOTE_ADDR 127.0.0.1 REMOTE_PORT 38004 SERVER_ADDR 127.0.0.1 SERVER_PORT 80 SERVER_NAME ttt REDIRECT_STATUS 200 SCRIPT_FILENAME /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php PATH_INFO PATH_TRANSLATED /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php SERVER_NAME ttt HTTP_USER_AGENT curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 HTTP_HOST ttt HTTP_PROXY_CONNECTION Keep-Alive -- Edit bug report at https://bugs.php.net/bug.php?id=61099&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61099&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61099&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61099&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61099&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61099&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61099&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61099&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61099&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61099&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61099&r=support Expected behavior: https://bugs.php.net/fix.php?id=61099&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61099&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61099&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61099&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61099&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=61099&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61099&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61099&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61099&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61099&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61099&r=mysqlcfg
