Edit report at https://bugs.php.net/bug.php?id=61099&edit=1
ID: 61099 Updated by: f...@php.net Reported by: socrtp at soclab dot pl Summary: FPM - memory corruption in request parsing code -Status: Assigned +Status: Feedback Type: Bug Package: FPM related Operating System: Linux PHP Version: 5.3.10 Assigned To: fat Block user comment: N Private report: N New Comment: Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. Can you please post your nginx configuration (don't forget to include fastcgi.conf if it's included in your configuration). thx ++ Jerome Previous Comments: ------------------------------------------------------------------------ [2012-02-15 20:58:14] socrtp at soclab dot pl Description: ------------ I've found a bug in FPM code. Sometimes the worker process segfaults. I spent some time debugging it and now I'm able to reproduce this bug. Following data was collected on Debian Linux with PHP packages from dotdeb (www.dotdeb.org). I can test this on other distro with PHP compiled from sources if needed. PHP version used here is PHP 5.3.6, but the bug is also present in 5.3.10. Configuration is simple, nginx redirects ^(.*)$ to /index.php/$1. The request looks like this: http://ttt/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php "ttt" is the vhost used for testing. The important things here are: exact size of query string, ".php" suffix. Next important thing is the freshness of php-fpm process. The process will always segfault when this request is the first request processed. Otherwise the process may survive the request - don't know whether it corrupts any data at affected pointer. Also I know that my nginx configuration is buggy - nginx should call just index.php - but PHP process shouldn't segfault in any case. php.ini that can be used to trigger the bug is the original php.ini-production with only one modification: cgi.fix_pathinfo = 1 Modules loaded seems to have no influence on the bug. ltrace from accepting the connection to crash: http://pastebin.com/UDuET7Sv strace (contains full dump of data received from socket): http://pastebin.com/b1Ad9AAh Backtrace (5.3.6): #0 _zend_hash_add_or_update (ht=0x1fe79e8, arKey=0xb45047 "SCRIPT_NAME", nKeyLength=12, pData=0x7fff8598f1f0, nDataSize=8, pDest=0x7fff8598ee78, flag=7648604) at /usr/src/php5/source/php5-5.3.6/Zend/zend_hash.c:418 #1 0x000000000074b55c in fcgi_putenv (req=0x7fff8598f1f0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x1fe9538 "") at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fastcgi.c:1096 #2 0x0000000000753bc7 in main (argc=33455768, argv=0x1fe8d60) at /usr/src/php5/source/php5-5.3.6/sapi/fpm/fpm/fpm_main.c:1255 Backtrace (5.3.10): (gdb) bt #0 _zend_hash_add_or_update (ht=0x279fb08, arKey=0xb4c7cb "SCRIPT_NAME", nKeyLength=12, pData=0x7fff1bd33ac0, nDataSize=8, pDest=0x7fff1bd33758, flag=7664444) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:418 #1 0x000000000074f33c in fcgi_putenv (req=0x7fff1bd33ac0, var=0xca59ccba5f40 <Address 0xca59ccba5f40 out of bounds>, var_len=11, val=0x27a1560 "") at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fastcgi.c:1067 #2 0x0000000000759114 in main (argc=41549640, argv=0x27a0c90) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1189 Headers received by PHP process from nginx (extracted from strace dump): QUERY_STRING REQUEST_METHOD GET CONTENT_TYPE CONTENT_LENGTH SCRIPT_NAME /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php REQUEST_URI /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php DOCUMENT_URI /index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php DOCUMENT_ROOT /tmp/ttt SERVER_PROTOCOL HTTP/1.1 HTTPS off GATEWAY_INTERFACE CGI/1.1 SERVER_SOFTWARE nginx/1.0.12 REMOTE_ADDR 127.0.0.1 REMOTE_PORT 38004 SERVER_ADDR 127.0.0.1 SERVER_PORT 80 SERVER_NAME ttt REDIRECT_STATUS 200 SCRIPT_FILENAME /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php PATH_INFO PATH_TRANSLATED /tmp/ttt/index.php/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php SERVER_NAME ttt HTTP_USER_AGENT curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 HTTP_HOST ttt HTTP_PROXY_CONNECTION Keep-Alive ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=61099&edit=1