From: thomas dot jarosch at intra2net dot com Operating system: linux PHP version: 5.2.6 PHP Bug Type: Reproducible crash Bug description: IMAP crash if server shuts down
Description: ------------ Hello together, if you use a webmail applications like Horde's IMP and restart the server while an IMAP command is processing, PHP segfaults on request shutdown. Here's a backtrace of the crash: (gdb) bt #0 0x632f6564 in ?? () #1 0x01a6b575 in mail_close_full (stream=0x87b8ad8, options=0) at mail.c:1361 #2 0x01a494e3 in mail_close_it (rsrc=0xb7977840) at /usr/src/redhat/BUILD/php-5.2.6/ext/imap/php_imap.c:229 #3 0x006dacc7 in list_entry_destructor (ptr=0xb7977840) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:184 #4 0x006d8a3a in zend_hash_del_key_or_index (ht=0x7cb480, arKey=0x0, nKeyLength=0, h=81, flag=1) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:497 #5 0x006da915 in _zend_list_delete (id=81) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:58 #6 0x006cb9ed in _zval_dtor_func (zvalue=0xb79d7a74) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.c:60 #7 0x006be95e in _zval_dtor (zvalue=0xb79d7a74) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.h:35 #8 0x006bebac in _zval_ptr_dtor (zval_ptr=0xb79a9610) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:414 #9 0x006d8b33 in zend_hash_destroy (ht=0xb7a1a71c) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:526 #10 0x006eae64 in zend_object_std_dtor (object=0xb7b9bf08) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:45 #11 0x006eb287 in zend_objects_free_object_storage (object=0xb7b9bf08) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:122 #12 0x006eec3f in zend_objects_store_free_object_storage (objects=0x7cb528) at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects_API.c:89 #13 0x006be7c7 in shutdown_executor () at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:299 #14 0x006cd48d in zend_deactivate () at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend.c:860 #15 0x0067d8d2 in php_request_shutdown (dummy=0x0) at /usr/src/redhat/BUILD/php-5.2.6/main/main.c:1486 #16 0x00742f2f in php_apache_request_dtor (r=0x8776f70) at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469 #17 0x007438ce in php_handler (r=0x8776f70) at /usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:641 #18 0x08065f19 in ap_run_handler () #19 0x08068f61 in ap_invoke_handler () #20 0x080639d8 in ap_process_request () #21 0x0805e6b8 in _start () I took a look at the structures in #1 mail_close_full (stream=0x87b8ad8, options=0), the memory was totally bogus and already reused. To me this looks like a use-after-free issue. While debugging I've found another crash in c-client's IMAP extension and I will submit a patch upstream. I was unable to find the source of this crash, but I suspect the connection already gets closed and then PHP tries to close it twice or something like that. Reproduce code: --------------- Move mails via IMAP to another folder and restart your IMAP server. Expected result: ---------------- Error message "Connection to server died". Actual result: -------------- Segfault. -- Edit bug report at http://bugs.php.net/?id=45188&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=45188&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=45188&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=45188&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=45188&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=45188&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=45188&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=45188&r=needscript Try newer version: http://bugs.php.net/fix.php?id=45188&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=45188&r=support Expected behavior: http://bugs.php.net/fix.php?id=45188&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=45188&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=45188&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=45188&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45188&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=45188&r=dst IIS Stability: http://bugs.php.net/fix.php?id=45188&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=45188&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=45188&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=45188&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=45188&r=mysqlcfg