#45188 [Opn->Fbk]: Crash during request shutdown if mail server shuts down

jani Tue, 19 May 2009 08:24:20 -0700

 ID:               45188
 Updated by:       [email protected]
 Reported By:      thomas dot jarosch at intra2net dot com
-Status:           Open
+Status:           Feedback
 Bug Type:         IMAP related
 Operating System: linux
 PHP Version:      5.2.6
 Assigned To:      fb-req-jani
 New Comment:


Now, since you could fix the compile failure, does your original issue
in this report exist or not using that snapshot? (we'll deal with that
compile failure, don't worrry :)


Previous Comments:
------------------------------------------------------------------------

[2009-05-18 09:33:09] thomas dot jarosch at intra2net dot com

Is it just me or this some information go missing
while posting in the bug tracker??

Anyway, the error message is:
"/tmp/php-5.2.10/Zend/zend_alloc.h:34: error: expected
specifier-qualifier-list before 'uint'

------------------------------------------------------------------------

[2009-05-18 09:23:24] thomas dot jarosch at intra2net dot com

Hi,

I can compile the snapshot on my Fedora 9 workstation using gcc
4.3.0. The build of the snapshot fails on my devel box using gcc
4.3.2 + ancient glibc version. Here's the error message I get:
In file included from /tmp/php-5.2.10/Zend/zend.h:236,                 
                                                                        
                                                    
                 from /tmp/php-5.2.10/main/php.h:34,                   
                                                                        
                                                    
                 from /tmp/php-5.2.10/ext/date/php_date.c:23:          
                                                                        
                                                    
/tmp/php-5.2.10/Zend/zend_alloc.h:34: error: expected specifier-

I tracked it down to this code snippet:
----------------------------------------
[r...@intradev /tmp]# cat main.c
#define _ISOC9X_SOURCE

#include <sys/types.h>

typedef struct _zend_leak_info {
//      void *addr;
//      size_t size;
//      char *filename;
        uint lineno;
//      char *orig_filename;
//      uint orig_lineno;
} zend_leak_info;

int main(void)
{
    return 0;
}
[r...@intradev /tmp]# gcc main.c
main.c:9: error: expected specifier-qualifier-list before 'uint'
[r...@intradev /tmp]# gcc --version
gcc (GCC) 4.3.2 20081007 (Red Hat 4.3.2-6)
----------------------------------------

If I remove the "#define _ISOC9X_SOURCE", it compiles fine,
same thing for ext/date/php_date.c.

The corresponding commit is here:
http://cvs.php.net:80/viewvc.cgi/php-

and

http://cvs.php.net:80/viewvc.cgi/php-

Is the "_ISOC9X_SOURCE" define really needed?

------------------------------------------------------------------------

[2009-04-30 09:40:13] [email protected]

Compiles fine for me. Try again with latest snapshot. (make sure to 
unpack and build in clean dirs..)

------------------------------------------------------------------------

[2009-04-29 14:27:02] thomas dot jarosch at intra2net dot com

Is the latest snapshot compilable?

I get this:

/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:129:
error: expected '=', ',', ';', 'asm' or '__attribute__' before
'stream_cookie_functions'
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c: In
function '_php_stream_cast':
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:181:
error: 'stream_cookie_functions' undeclared (first use in this
function)
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:181:
error: (Each undeclared identifier is reported only once
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:181:
error: for each function it appears in.)
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:181:
warning: assignment makes pointer from integer without a cast
/usr/src/redhat/BUILD/php5.2-200904291230/main/streams/cast.c:221:
warning: passing argument 3 of '_php_stream_cast' makes pointer from
integer without a cast

------------------------------------------------------------------------

[2008-06-05 15:41:29] thomas dot jarosch at intra2net dot com

Description:
------------
Hello together,

if you use a webmail applications like Horde's IMP and restart the 
server while an IMAP command is processing, PHP segfaults on request 
shutdown.

Here's a backtrace of the crash:

(gdb) bt
#0  0x632f6564 in ?? ()
#1  0x01a6b575 in mail_close_full (stream=0x87b8ad8, options=0) at 
mail.c:1361
#2  0x01a494e3 in mail_close_it (rsrc=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/ext/imap/php_imap.c:229
#3  0x006dacc7 in list_entry_destructor (ptr=0xb7977840) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:184
#4  0x006d8a3a in zend_hash_del_key_or_index (ht=0x7cb480, arKey=0x0, 
nKeyLength=0, h=81, flag=1) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:497
#5  0x006da915 in _zend_list_delete (id=81) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_list.c:58
#6  0x006cb9ed in _zval_dtor_func (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.c:60
#7  0x006be95e in _zval_dtor (zvalue=0xb79d7a74) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_variables.h:35
#8  0x006bebac in _zval_ptr_dtor (zval_ptr=0xb79a9610) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:414
#9  0x006d8b33 in zend_hash_destroy (ht=0xb7a1a71c) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_hash.c:526
#10 0x006eae64 in zend_object_std_dtor (object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:45
#11 0x006eb287 in zend_objects_free_object_storage 
(object=0xb7b9bf08) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects.c:122
#12 0x006eec3f in zend_objects_store_free_object_storage 
(objects=0x7cb528) 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_objects_API.c:89
#13 0x006be7c7 in shutdown_executor () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend_execute_API.c:299
#14 0x006cd48d in zend_deactivate () 
at /usr/src/redhat/BUILD/php-5.2.6/Zend/zend.c:860
#15 0x0067d8d2 in php_request_shutdown (dummy=0x0) 
at /usr/src/redhat/BUILD/php-5.2.6/main/main.c:1486
#16 0x00742f2f in php_apache_request_dtor (r=0x8776f70) 
at
/usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469
#17 0x007438ce in php_handler (r=0x8776f70) 
at
/usr/src/redhat/BUILD/php-5.2.6/sapi/apache2handler/sapi_apache2.c:641
#18 0x08065f19 in ap_run_handler ()
#19 0x08068f61 in ap_invoke_handler ()
#20 0x080639d8 in ap_process_request ()
#21 0x0805e6b8 in _start ()

I took a look at the structures in #1 mail_close_full 
(stream=0x87b8ad8, options=0), the memory was totally bogus and 
already reused. To me this looks like a use-after-free issue.

While debugging I've found another crash in c-client's IMAP extension 
and I will submit a patch upstream.

I was unable to find the source of this crash, but I suspect the 
connection already gets closed and then PHP tries to close it twice 
or something like that.

Reproduce code:
---------------
Move mails via IMAP to another folder and restart your IMAP server.

Expected result:
----------------
Error message "Connection to server died".

Actual result:
--------------
Segfault.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=45188&edit=1

#45188 [Opn->Fbk]: Crash during request shutdown if mail server shuts down

Reply via email to