#20190 [Com]: Random mem corruption: zend_get_executed_filename() mismatch

Thu, 31 Oct 2002 09:28:54 -0800 

 ID:               20190
 Comment by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
 Status:           Feedback
 Bug Type:         Apache related
 Operating System: FreeBSD
 PHP Version:      4.2.3
 New Comment:

Previous dump was not the right one, sorry. I had
dumps for children disabled. This is now the right one ...

(gdb) bt
#0  0x280de8e1 in strlen () from /usr/lib/libc.so.4
#1  0x17 in ?? ()
#2  0x2836decb in php_check_open_basedir (path=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php")
    at fopen_wrappers.c:211
#3  0x2836e19f in php_fopen_and_set_opened_path (
    path=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php",
mode=0x284e1ac3 "rb",
    opened_path=0xbfbff8d8) at fopen_wrappers.c:309
#4  0x2836e89d in php_fopen_with_path (filename=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php",
    mode=0x284e1ac3 "rb", path=0x81ebb50 ".", opened_path=0xbfbff8d8)
at fopen_wrappers.c:494
#5  0x2836edc0 in php_fopen_url_wrapper (path=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php",
    mode=0x284e1ac3 "rb", options=1, issock=0xbfbfe6f0,
socketd=0xbfbfe6ec, opened_path=0xbfbff8d8)
    at fopen_wrappers.c:612
#6  0x2836e26d in php_fopen_wrapper (path=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php",
    mode=0x284e1ac3 "rb", options=1, issock=0xbfbfe6f0,
socketd=0xbfbfe6ec, opened_path=0xbfbff8d8)
    at fopen_wrappers.c:335
#7  0x2836b38c in php_fopen_wrapper_for_zend (
    filename=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php",
opened_path=0xbfbff8d8) at main.c:583
#8  0x28336463 in open_file_for_scanning (file_handle=0xbfbff8d0) at
zend_language_scanner.c:2952
#9  0x28336611 in compile_file (file_handle=0xbfbff8d0, type=2) at
zend_language_scanner.c:3009
#10 0x2835bb4f in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at zend.c:823
#11 0x2836d0b9 in php_execute_script (primary_file=0xbfbff8d0) at
main.c:1399
#12 0x28367d82 in apache_php_module_main (r=0x8c78038,
display_source_mode=0) at sapi_apache.c:98
#13 0x28368c2c in send_php (r=0x8c78038, display_source_mode=0,
    filename=0x8c79c98
"/www/doc/www.skkonline.ch-80/top/scripts2/schools.php") at
mod_php4.c:684
#14 0x28368c9f in send_parsed_php (r=0x8c78038) at mod_php4.c:703

(gdb) list
206                     char *newpath;
207                     char *ptr;
208                     char *end;
209
210                     pathbuf = estrdup(PG(open_basedir));
211                     newpath =
estrdup(zend_get_executed_filename(TSRMLS_C));
212
213                     ptr = pathbuf;
214                     while (ptr && *ptr) {
215                             end = strchr(ptr,
DEFAULT_DIR_SEPARATOR);


Previous Comments:
------------------------------------------------------------------------

[2002-10-31 10:40:02] [EMAIL PROTECTED]

If I allow the open_basedir restriction to pass,
I get now random segfaults :

Program terminated with signal 11, Segmentation fault.

#0  0x2835d21e in _object_and_properties_init (arg=0xbfbffccc,
class_type=0x0, properties=0xbfbffce2) at zend_API.c:584
584                    
ALLOC_HASHTABLE_REL(arg->value.obj.properties);
(gdb) bt
#0  0x2835d21e in _object_and_properties_init (arg=0xbfbffccc,
class_type=0x0, properties=0xbfbffce2) at zend_API.c:584
(gdb) list
579             }
580
581             if (properties) {
582                     arg->value.obj.properties = properties;
583             } else {
584                    
ALLOC_HASHTABLE_REL(arg->value.obj.properties);
585                     zend_hash_init(arg->value.obj.properties, 0,
NULL, ZVAL_PTR_DTOR, 0);
586                     zend_hash_copy(arg->value.obj.properties,
&class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void
*) &tmp, sizeof(zval *));
587             }
588             arg->type = IS_OBJECT;
(gdb) p arg->value.obj.properties
$1 = (HashTable *) 0x636f6c2f
(gdb) p *arg->value.obj.properties
Cannot access memory at address 0x636f6c2f.
(gdb) p properties
$2 = (HashTable *) 0xbfbffce2
(gdb) p *properties
$3 = {nTableSize = 1212367181, nTableMask = 1162893652, nNumOfElements
= 942893373, nNextFreeElement = 1714236726,
  pInternalPointer = 0x62656572, pListHead = 0x2e346473, pListTail =
0x53550033, arBuckets = 0x743d5245, pDestructor = 0x726f6f,
  persistent = 77 'M', nApplyCount = 65 'A', bApplyProtection = 73
'I'}

(gdb) p *arg
$4 = {value = {lval = 1920169263, dval = 9.4870166287391071e+170, str =
{val = 0x7273752f <Address 0x7273752f out of bounds>,
      len = 1668246575}, ht = 0x7273752f, obj = {ce = 0x7273752f,
properties = 0x636f6c2f}}, type = 97 'a', is_ref = 108 'l',
  refcount = 29487}

------------------------------------------------------------------------

[2002-10-31 10:03:59] [EMAIL PROTECTED]

I already use this snapshot. And it still happens.

I'll post soon more info. I'm compiling now a debug version.

Martin

------------------------------------------------------------------------

[2002-10-31 09:23:36] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip



------------------------------------------------------------------------

[2002-10-31 09:01:33] [EMAIL PROTECTED]

Note that this bug is similar to a other bug,

http://bugs.php.net/bug.php?id=19292

It's not the same bug. There were some checks wrong
in fopen_wrappers.c. This is fixed in cvs.

This bug does show similar results as 19292,
but the source of the problem is completly different.

This a webserver with ~400 virtual servers, ~100
have php enabled.

I see the bug happen if I access frequently
pages of customer 1 (php enabled) and at the same time
customer 2.

------------------------------------------------------------------------

[2002-10-31 08:55:47] [EMAIL PROTECTED]

I've done this change in main/fopen_wrappers.c to see what
happens:

- php_error(E_WARNING, "open_basedir restriction
-           in effect. File is in wrong directory");

+ php_error(E_WARNING, "open_basedir: File should
+           be in %s, but is in %s file (%s)",
+           pathbuf, path,   
+           zend_get_executed_filename(TSRMLS_C));

let's say pathbuf=$a, path=$b, 
zend_get_executed_filename=$c

As you see $a (which is PG(open_basedir)), should be
identical to the path without added filename of both
$b and $c.

The error is random. Sometimes $a and $c are correct,
and $b is plain wrong (from a previous request). Sometimes
$a and $c are correct, and $b is wrong.

[24-Oct-2002 10:49:19] PHP Warning:  open_basedir: File should be in
/www/doc/www.aaa.ch-80, but is in /www/doc/
www.bbb.ch-80/html/visions/php/include/globals.inc in
/www/doc/www.aaa.ch-80/index.php on line 2

[24-Oct-2002 10:49:19] PHP Warning:  open_basedir: File should be in
/www/doc/www.aaa.ch-80, but is in /www/doc/
www.bbb.ch-80/html/visions/php//wrapper.php in
/www/doc/www.aaa.ch-80/index.php on line 6
  
[24-Oct-2002 10:53:45] PHP Warning:  open_basedir: File should be in
/www/doc/www.aaa.ch-80, but is in /www/doc/
www.bbb.ch-80/html/visions/php//include/globals.inc in
/www/doc/www.aaa.ch-80/index.php on line 2
 
[24-Oct-2002 10:53:45] PHP Warning:  open_basedir: File should be in
/www/doc/www.aaa.ch-80, but is in /www/doc/
www.bbb.ch-80/html/visions/php//wrapper.php in
/www/doc/www.aaa.ch-80/index.php on line 6

This bug is critical and not fixed in cvs. I just tried
the newest snapshot and it's not fixed.

Martin

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=20190&edit=1

Reply via email to