Edit report at https://bugs.php.net/bug.php?id=42631&edit=1
ID: 42631 Updated by: php-bugs@lists.php.net Reported by: gabe at mudbugmedia dot com Summary: mssql_connect causes stack smashing attack protection -Status: Feedback +Status: No Feedback Type: Bug Package: MSSQL related Operating System: Gentoo Linux 2.6.17-hardened-r1 PHP Version: 5.2.4 New Comment: No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. Previous Comments: ------------------------------------------------------------------------ [2010-10-09 00:18:09] fel...@php.net Please try using this snapshot: http://snaps.php.net/php-trunk-latest.tar.gz For Windows: http://windows.php.net/snapshots/ ------------------------------------------------------------------------ [2007-09-12 14:30:53] gabe at mudbugmedia dot com Same behavior occurs on the supplied dev link downloaded on 2007-09-12 configure settings for compile: './configure' '--prefix=/usr/lib/php5' '--host=i686-pc-linux-gnu' '-- mandir=/usr/lib/php5/man' '--infodir=/usr/lib/php5/info' '-- sysconfdir=/etc' '--cache-file=./config.cache' '--disable-cli' '-- with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2- php5' '--with-config-file-scan-dir=/etc/php/apache2-php5/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--with-curl' '--without-curlwrappers' '--disable-dbase' '--disable- exif' '--without-fbsql' '--without-fdftk' '--disable-filter' '-- disable-ftp' '--with-gettext' '--without-gmp' '--disable-hash' '-- without-iconv' '--disable-ipv6' '--disable-json' '--without-kerberos' '--enable-mbstring' '--with-mcrypt' '--without-mhash' '--without-msql' '--with-mssql' '--without-ncurses' '--with-openssl' '--with-openssl- dir=/usr' '--disable-pcntl' '--disable-pdo' '--without-pgsql' '-- without-pspell' '--without-recode' '--disable-reflection' '--disable- simplexml' '--disable-shmop' '--without-snmp' '--disable-soap' '-- disable-sockets' '--disable-spl' '--without-sybase' '--without-sybase- ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '-- without-tidy' '--disable-tokenizer' '--disable-wddx' '--disable- xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--without-xsl' '- -disable-zip' '--with-zlib' '--disable-debug' '--without-cdb' '-- without-db4' '--without-flatfile' '--without-gdbm' '--without-inifile' '--without-qdbm' '--without-freetype-dir' '--without-t1lib' '-- disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '-- without-xpm-dir' '--with-gd' '--with-mysql=/usr' '--with-mysql- sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--with-readline' '--without-libedit' '--without-mm' '--without-sqlite' '--with-pic' ------------------------------------------------------------------------ [2007-09-12 11:40:06] j...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi ------------------------------------------------------------------------ [2007-09-11 20:31:51] gabe at mudbugmedia dot com Description: ------------ When executing a PHP script over Apache 2.2 SAPI (not CGI), mssql_connect() causes Apache to exit with the following in the syslog: apache2: stack smashing attack in function tds_write_packet - terminated This occurs only after successfully connecting to a valid MSSQL server, but before authentication information is verified; supplying invalid username/password will still cause the error to trigger. However, entering in a non-listening IP to connect to will return false and continue execution. Gentoo developers identified this bug as PHP instead of Apache, as Apache is not responsible for the calling of the tds_write_packet() function Bug originally submitted here, but was reclassified as being UPSTREAM: http://bugs.gentoo.org/show_bug.cgi?id=191988 an strace of the process (capture started after initial connect `netstat -p` after connection was the only way I could determine which apache process to strace): Process 11348 attached - interrupt to quit poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "Host: kokiri.org\r\n", 8000) = 18 poll([{fd=1027, events=POLLIN, revents=POLLIN}], 1, 300000) = 1 read(1027, "\r\n", 8000) = 2 gettimeofday({1189537767, 899761}, NULL) = 0 gettimeofday({1189537767, 899905}, NULL) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/www/kokiri.org/htdocs/.htaccess", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=79, ...}) = 0 read(1028, "RewriteEngine on\n\nRewriteRule ro"..., 4096) = 79 read(1028, "", 4096) = 0 close(1028) = 0 open("/www/kokiri.org/htdocs/findwork.php/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory) setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 getcwd("/", 4095) = 2 chdir("/www/kokiri.org/htdocs") = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={30, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, {0x503ec97b, [PROF], SA_RESTORER|SA_RESTART, 0x50aeab68}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 stat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 lstat64("/www", {st_mode=S_IFDIR|0775, st_size=16384, ...}) = 0 lstat64("/www/kokiri.org", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0 lstat64("/www/kokiri.org/htdocs/findwork.php", {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 open("/www/kokiri.org/htdocs/findwork.php", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0664, st_size=175, ...}) = 0 read(1028, "START!\r\n<?php \r\nob_flush();\r\nflu"..., 8192) = 175 read(1028, "", 8192) = 0 read(1028, "", 8192) = 0 close(1028) = 0 writev(1027, [{"HTTP/1.1 200 OK\r\nDate: Tue, 11 S"..., 125}, {"8\r\n", 3}, {"START!\r\n", 8}, {"\r\n", 2}], 4) = 138 brk(0x9fa8000) = 0x9fa8000 uname({sys="Linux", node="garlic", ...}) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.freetds.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds.conf", O_RDONLY|O_LARGEFILE) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3572, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4fc52000 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 _llseek(1028, 0, [0], SEEK_SET) = 0 read(1028, "#\n#\n# $Id: freetds.conf,v 1.11"..., 4096) = 3572 read(1028, "", 4096) = 0 close(1028) = 0 munmap(0x4fc52000, 4096) = 0 getuid32() = 81 open("/etc/passwd", O_RDONLY) = 1028 fcntl64(1028, F_GETFD) = 0 fcntl64(1028, F_SETFD, FD_CLOEXEC) = 0 _llseek(1028, 0, [0], SEEK_CUR) = 0 fstat64(1028, {st_mode=S_IFREG|0644, st_size=3040, ...}) = 0 mmap2(NULL, 3040, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc52000 _llseek(1028, 3040, [3040], SEEK_SET) = 0 munmap(0x4fc52000, 3040) = 0 close(1028) = 0 open("/var/www/.interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/freetds/interfaces", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 1028 fstat64(1028, {st_mode=S_IFREG|0644, st_size=25460, ...}) = 0 mmap2(NULL, 25460, PROT_READ, MAP_SHARED, 1028, 0) = 0x4fc4c000 close(1028) = 0 futex(0x50be4a4c, FUTEX_WAKE, 2147483647) = 0 open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 1028 read(1028, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0"..., 512) = 512 fstat64(1028, {st_mode=S_IFREG|0755, st_size=9704, ...}) = 0 mmap2(NULL, 12300, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 1028, 0) = 0x4fc48000 mmap2(0x4fc4a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1028, 0x1) = 0x4fc4a000 close(1028) = 0 mprotect(0x4fc4a000, 4096, PROT_READ) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1028 setsockopt(1028, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(1028, SOL_TCP, TCP_NODELAY, [1], 4) = 0 time(NULL) = 1189537767 ioctl(1028, FIONBIO, [1]) = 0 connect(1028, {sa_family=AF_INET, sin_port=htons(1433), sin_addr=inet_addr("70.252.177.xxx")}, 16) = -1 EINPROGRESS (Operation now in progress) select(1029, NULL, [1024 1025 1026 1028], [1024 1025 1026 1028], {5, 0}) = 2 (left {5, 0}) time(NULL) = 1189537767 getsockopt(1028, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 time(NULL) = 1189537767 select(1029, NULL, [1028], NULL, {5, 0}) = 1 (out [1028], left {4, 820000}) time(NULL) = 1189537768 send(1028, "\2\0\2\0\0\0\0\0garlic\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 512, MSG_NOSIGNAL|MSG_MORE) = 512 socket(PF_FILE, SOCK_DGRAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) close(1029) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 1029 connect(1029, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 write(2, "*** stack smashing detected ***:"..., 54) = 54 write(1029, "*** stack smashing detected ***:"..., 54) = 54 write(2, "apache2: stack smashing attack i"..., 73) = 73 write(1029, "apache2: stack smashing attack i"..., 73) = 73 write(2, "Report to http://bugs.gentoo.org"..., 35) = 35 write(1029, "Report to http://bugs.gentoo.org"..., 35) = 35 close(1029) = 0 getpid() = 11348 kill(11348, SIGKILL) = 0 +++ killed by SIGKILL +++ Process 11348 detached Reproduce code: --------------- START! <?php ob_flush(); flush(); var_dump(mssql_connect('70.252.177.xxx', 'username', 'password')); ?> DONE! Expected result: ---------------- START! resource(4) of type (mssql link) DONE! Actual result: -------------- START! (then Apache exits and the error is logged to syslog) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=42631&edit=1