Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Thanks Derick, it confirms version 0.63: Package: freetds-dev Priority: optional Section: devel Installed-Size: 2096 Maintainer: Ubuntu Core developers <[EMAIL PROTECTED]> Original-Maintainer: Steve Langasek <[EMAIL PROTECTED]> Architecture: i386 Source: freetds Version: 0.63-3.2ubuntu1 Depends: libct3 (= 0.63-3.2ubuntu1), libsybdb5 (= 0.63-3.2ubuntu1) Conflicts: crystalspace-dev Filename: pool/main/f/freetds/freetds-dev_0.63-3.2ubuntu1_i386.deb Size: 730998 MD5sum: 799d96924ccce4456911eaa422bb6d96 SHA1: 4f766c9c7cc06c171a55aa5f5b66d4f4d45d0a1c SHA256: 828d7a2da713fb4832a60ac925074f868ed7f8561032afd30965811a5d3d9b46 Description: MS SQL and Sybase client library (static libs and headers) FreeTDS is an implementation of the Tabular DataStream protocol, used for connecting to MS SQL and Sybase servers over TCP/IP. . This package includes the static libraries and header files for TDS, which you will need to develop applications that connect to MS SQL servers. You will also need this package if you are installing the Perl DBD::Sybase module on your system using CPAN. Bugs: mailto:[EMAIL PROTECTED] Origin: Ubuntu /Krister Karlström Derick Rethans wrote: On Wed, 15 Oct 2008, Krister Karlström wrote: Antony Dovgal wrote: On 15.10.2008 12:55, Krister Karlström wrote: Hi, On the Ubuntu server (where the problems occured) I'm not good enough to figure out which version of FreeTDS that is boundled with PHP, but these packages are installed with PHP: I don't think it's bundled, it should be a separate package in your system. `apt-cache search freetds` should find it, I guess. This commands gives: freetds-dev - MS SQL and Sybase client library (static libs and headers) Try "apt-cache show freetds-dev" - it should give you the version. regards, Derick -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On Wed, 15 Oct 2008, Krister Karlström wrote: > Antony Dovgal wrote: > > > On 15.10.2008 12:55, Krister Karlström wrote: > > > Hi, > > > > > > On the Ubuntu server (where the problems occured) I'm not good enough to > > > figure out which version of FreeTDS that is boundled with PHP, but these > > > packages are installed with PHP: > > > > I don't think it's bundled, it should be a separate package in your system. > > `apt-cache search freetds` should find it, I guess. > > This commands gives: > > freetds-dev - MS SQL and Sybase client library (static libs and headers) Try "apt-cache show freetds-dev" - it should give you the version. regards, Derick -- HEAD before 5_3!: http://tinyurl.com/6d2esb http://derickrethans.nl | http://ezcomponents.org | http://xdebug.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Antony Dovgal wrote: On 15.10.2008 12:55, Krister Karlström wrote: Hi, On the Ubuntu server (where the problems occured) I'm not good enough to figure out which version of FreeTDS that is boundled with PHP, but these packages are installed with PHP: I don't think it's bundled, it should be a separate package in your system. `apt-cache search freetds` should find it, I guess. This commands gives: freetds-dev - MS SQL and Sybase client library (static libs and headers) libct3 - libraries for connecting to MS SQL and Sybase SQL servers libsybdb5 - libraries for connecting to MS SQL and Sybase SQL servers tdsodbc - ODBC driver for connecting to MS SQL and Sybase SQL servers gda2-freetds - FreeTDS backend plugin for GNOME Data Access library for GNOME2 libdbd-freetds - Freetds database server driver for libdbi libgda3-freetds - FreeTDS backend plugin for GNOME Data Access library for GNOME2 sqlrelay-freetds - SQL Relay FreeTDS (Sybase and MS SQL Server) connection daemon sqsh - commandline SQL client for MS SQL and Sybase servers php5-mssql - MSSQL module for php5 In /usr/share/doc/freetds-dev I found version 0.63 of FreeTDS though, at least according to the change logs. I'm not sure that this is the library used though, I really suck on dealing with packages on Ubuntu/Debian.. Anyway, everything is installed with the package manager in Ubuntu, so everything installed should have come from there... /Krister Karlström On the Slackware platform we're apparently using version 0.64, I notice now that there's a newer version 0.82 out. Could it be that Ubuntu has upgraded to 0.82 which causes the problem? Sure, anything is possible. -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On Wed, 15 Oct 2008, Krister Karlström wrote: > On the Ubuntu server (where the problems occured) I'm not good enough to > figure out which version of FreeTDS that is boundled with PHP, but these > packages are installed with PHP: > > php5-sybase_5.2.4-2ubuntu5.3_i386.deb > php5-mssql_5.2.4-2ubuntu5.3_i386.deb > > On the Slackware platform we're apparently using version 0.64, I notice now > that there's a newer version 0.82 out. > > Could it be that Ubuntu has upgraded to 0.82 which causes the problem? My debian (on which Ubuntu is based) indeed has 0.82 installed. And yes, that could be the cause of the problem. However, Antony had a look at the code and found many other issues too :/ Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On 15.10.2008 12:55, Krister Karlström wrote: > Hi, > > On the Ubuntu server (where the problems occured) I'm not good enough to > figure out which version of FreeTDS that is boundled with PHP, but these > packages are installed with PHP: I don't think it's bundled, it should be a separate package in your system. `apt-cache search freetds` should find it, I guess. > On the Slackware platform we're apparently using version 0.64, I notice > now that there's a newer version 0.82 out. > > Could it be that Ubuntu has upgraded to 0.82 which causes the problem? Sure, anything is possible. -- Wbr, Antony Dovgal -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi, On the Ubuntu server (where the problems occured) I'm not good enough to figure out which version of FreeTDS that is boundled with PHP, but these packages are installed with PHP: php5-sybase_5.2.4-2ubuntu5.3_i386.deb php5-mssql_5.2.4-2ubuntu5.3_i386.deb On the Slackware platform we're apparently using version 0.64, I notice now that there's a newer version 0.82 out. Could it be that Ubuntu has upgraded to 0.82 which causes the problem? Greetings, Krister Karlström Antony Dovgal wrote: On 15.10.2008 12:06, Krister Karlström wrote: Thanks for the advice Derick, valgrind gave this output with USE_ZEND_ALLOC set to 0: ==29752== Invalid write of size 1 ==29752==at 0x4024D57: memcpy (mc_replace_strmem.c:402) ==29752==by 0x406B0C1: dbconvert (in /usr/lib/libsybdb.so.5.0.0) ==29752==by 0x80997F9: php_mssql_get_column_content_with_type (php_mssql.c:912) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) That is very helpful, thanks. Which version of FreeTDS do you use? -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On Wed, 15 Oct 2008, Krister Karlström wrote: > OK, Thanks for the clue though! :) > > What do you think about Sean Finneys post about this bug? > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423296 > > Debian has patched a memory bug that also ended up affecting the > php5-sybase extension... It looks unrelated, this is clearly something wrong in the mssql extension, and it has nothing to do with snmp as var as I can see. regards, Derick -- HEAD before 5_3!: http://tinyurl.com/6d2esb http://derickrethans.nl | http://ezcomponents.org | http://xdebug.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
OK, Thanks for the clue though! :) What do you think about Sean Finneys post about this bug? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423296 Debian has patched a memory bug that also ended up affecting the php5-sybase extension... /Krister Karlström Derick Rethans wrote: This gives a very good clue - for some reason there is not enough memory allocated in the emalloc() call on line 911 of ext/mssql/php_mssql.c. For some reason the dbconvert() call writes more than it's supposed to do. I do not know the libsybdb library well enough to explain why though. :/ -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On 15.10.2008 12:06, Krister Karlström wrote: > Thanks for the advice Derick, valgrind gave this output with > USE_ZEND_ALLOC set to 0: > ==29752== Invalid write of size 1 > ==29752==at 0x4024D57: memcpy (mc_replace_strmem.c:402) > ==29752==by 0x406B0C1: dbconvert (in /usr/lib/libsybdb.so.5.0.0) > ==29752==by 0x80997F9: php_mssql_get_column_content_with_type > (php_mssql.c:912) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) That is very helpful, thanks. Which version of FreeTDS do you use? -- Wbr, Antony Dovgal -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On Wed, 15 Oct 2008, Krister Karlström wrote: > Thanks for the advice Derick, valgrind gave this output with USE_ZEND_ALLOC > set to 0: This gives a very good clue - for some reason there is not enough memory allocated in the emalloc() call on line 911 of ext/mssql/php_mssql.c. For some reason the dbconvert() call writes more than it's supposed to do. I do not know the libsybdb library well enough to explain why though. :/ > > ==29752== Memcheck, a memory error detector. > ==29752== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. > ==29752== Using LibVEX rev 1854, a library for dynamic binary translation. > ==29752== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. > ==29752== Using valgrind-3.3.1, a dynamic binary instrumentation framework. > ==29752== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. > ==29752== For more details, rerun with: -v > ==29752== > ==29752== Invalid write of size 1 > ==29752==at 0x4024D57: memcpy (mc_replace_strmem.c:402) > ==29752==by 0x406B0C1: dbconvert (in /usr/lib/libsybdb.so.5.0.0) > ==29752==by 0x80997F9: php_mssql_get_column_content_with_type > (php_mssql.c:912) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) > ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC > (zend_vm_execute.h:200) > ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER > (zend_vm_execute.h:1679) > ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) > ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) > ==29752==by 0x8151090: php_execute_script (main.c:2005) > ==29752==by 0x821FEE5: main (php_cli.c:1140) > ==29752== Address 0x43c1711 is 0 bytes after a block of size 25 alloc'd > ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) > ==29752==by 0x8186640: _emalloc (zend_alloc.c:2280) > ==29752==by 0x8099794: php_mssql_get_column_content_with_type > (php_mssql.c:911) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) > ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC > (zend_vm_execute.h:200) > ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER > (zend_vm_execute.h:1679) > ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) > ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) > ==29752==by 0x8151090: php_execute_script (main.c:2005) > ==29752==by 0x821FEE5: main (php_cli.c:1140) > ==29752== > ==29752== Invalid write of size 1 > ==29752==at 0x406B0CA: dbconvert (in /usr/lib/libsybdb.so.5.0.0) > ==29752==by 0x80997F9: php_mssql_get_column_content_with_type > (php_mssql.c:912) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) > ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC > (zend_vm_execute.h:200) > ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER > (zend_vm_execute.h:1679) > ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) > ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) > ==29752==by 0x8151090: php_execute_script (main.c:2005) > ==29752==by 0x821FEE5: main (php_cli.c:1140) > ==29752== Address 0x43c1712 is 1 bytes after a block of size 25 alloc'd > ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) > ==29752==by 0x8186640: _emalloc (zend_alloc.c:2280) > ==29752==by 0x8099794: php_mssql_get_column_content_with_type > (php_mssql.c:911) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) > ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC > (zend_vm_execute.h:200) > ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER > (zend_vm_execute.h:1679) > ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) > ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) > ==29752==by 0x8151090: php_execute_script (main.c:2005) > ==29752==by 0x821FEE5: main (php_cli.c:1140) > ==29752== > ==29752== Invalid write of size 1 > ==29752==at 0x8099806: php_mssql_get_column_content_with_type > (php_mssql.c:913) > ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) > ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) > ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC > (zend_vm_execute.h:200) > ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER > (zend_vm_execute.h:1679) > ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) > ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) > ==29752==by 0x8151090: php_execute_script (main.c:2005) > ==29752==by 0x821FEE5: main (php_cli.c:1140) > ==29752== Address 0x43c1712 is 1 bytes after a block of size 25 alloc'd > ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) > ==29752==by 0x8186640: _emalloc (zend_alloc.c:2
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Thanks for the advice Derick, valgrind gave this output with USE_ZEND_ALLOC set to 0: ==29752== Memcheck, a memory error detector. ==29752== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==29752== Using LibVEX rev 1854, a library for dynamic binary translation. ==29752== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==29752== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==29752== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==29752== For more details, rerun with: -v ==29752== ==29752== Invalid write of size 1 ==29752==at 0x4024D57: memcpy (mc_replace_strmem.c:402) ==29752==by 0x406B0C1: dbconvert (in /usr/lib/libsybdb.so.5.0.0) ==29752==by 0x80997F9: php_mssql_get_column_content_with_type (php_mssql.c:912) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) ==29752==by 0x8151090: php_execute_script (main.c:2005) ==29752==by 0x821FEE5: main (php_cli.c:1140) ==29752== Address 0x43c1711 is 0 bytes after a block of size 25 alloc'd ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) ==29752==by 0x8186640: _emalloc (zend_alloc.c:2280) ==29752==by 0x8099794: php_mssql_get_column_content_with_type (php_mssql.c:911) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) ==29752==by 0x8151090: php_execute_script (main.c:2005) ==29752==by 0x821FEE5: main (php_cli.c:1140) ==29752== ==29752== Invalid write of size 1 ==29752==at 0x406B0CA: dbconvert (in /usr/lib/libsybdb.so.5.0.0) ==29752==by 0x80997F9: php_mssql_get_column_content_with_type (php_mssql.c:912) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) ==29752==by 0x8151090: php_execute_script (main.c:2005) ==29752==by 0x821FEE5: main (php_cli.c:1140) ==29752== Address 0x43c1712 is 1 bytes after a block of size 25 alloc'd ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) ==29752==by 0x8186640: _emalloc (zend_alloc.c:2280) ==29752==by 0x8099794: php_mssql_get_column_content_with_type (php_mssql.c:911) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) ==29752==by 0x8151090: php_execute_script (main.c:2005) ==29752==by 0x821FEE5: main (php_cli.c:1140) ==29752== ==29752== Invalid write of size 1 ==29752==at 0x8099806: php_mssql_get_column_content_with_type (php_mssql.c:913) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scripts (zend.c:1134) ==29752==by 0x8151090: php_execute_script (main.c:2005) ==29752==by 0x821FEE5: main (php_cli.c:1140) ==29752== Address 0x43c1712 is 1 bytes after a block of size 25 alloc'd ==29752==at 0x4022AE8: malloc (vg_replace_malloc.c:207) ==29752==by 0x8186640: _emalloc (zend_alloc.c:2280) ==29752==by 0x8099794: php_mssql_get_column_content_with_type (php_mssql.c:911) ==29752==by 0x809A791: _mssql_fetch_batch (php_mssql.c:1140) ==29752==by 0x809AF19: zif_mssql_query (php_mssql.c:1263) ==29752==by 0x81C88DC: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==29752==by 0x81CE2B2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679) ==29752==by 0x81C842F: execute (zend_vm_execute.h:92) ==29752==by 0x81A390F: zend_execute_scrip
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
On Wed, 15 Oct 2008, Krister Karlström wrote: > run the same sample script with PHP 5.2.6 configured with --disable-all > --enable-debug --with-mssql on the Ubuntu Hardy machine. I did exactly the > same things on both the Slackware server and the Ubuntu, the output and > expected result was though different: > > Here's PHP:s output on Ubnuntu Hardy 8.0.4 with PHP 5.2.6: [snip] > It reports 10 memory leaks..? I'm also gonna run this though valgrind, need to > install it on this machine first... If you do, please export the following environment variable before you run it with valgrind: export USE_ZEND_ALLOC=0 that disables the zend memory manager, which means valgrind can see much better what might go wrong. If it doesn't show anything then, switch it back to "1" and try again. regards, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi again, run the same sample script with PHP 5.2.6 configured with --disable-all --enable-debug --with-mssql on the Ubuntu Hardy machine. I did exactly the same things on both the Slackware server and the Ubuntu, the output and expected result was though different: Here's PHP:s output on Ubnuntu Hardy 8.0.4 with PHP 5.2.6: [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x08317fcc status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x08318164 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x083196a4 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x08319878 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x0831aa10 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x0831abf4 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x0831af50 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x0831b124 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: OK (allocated on /home/karlstrk/php-5.2.6/ext/mssql/php_mssql.c:911, 25 bytes) Start: OK End: Overflown (magic=0x004D instead of 0x23024D91) 2 byte(s) overflown --- [Wed Oct 15 10:20:52 2008] Script: '/var/www/asta/testcases/TestMsSQL.php' --- /home/karlstrk/php-5.2.6/Zend/zend_variables.h(35) : Block 0x0831b2f4 status: /home/karlstrk/php-5.2.6/Zend/zend_variables.c(36) : Actual location (location was r
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi! I downloaded a fresh copy of PHP-5.2.6 and configured it with --disable-all --enable-debug --with-mssql. PHP -v gives: PHP 5.2.6 (cli) (built: Oct 15 2008 10:30:23) (DEBUG) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies Valgrinds output from the same sample script: ==21018== Memcheck, a memory error detector. ==21018== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==21018== Using LibVEX rev 1854, a library for dynamic binary translation. ==21018== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==21018== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==21018== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==21018== For more details, rerun with: -v ==21018== ==21018== My PID = 21018, parent PID = 2824. Prog and args are: ==21018==./php ==21018==/var/www/asta/testcases/TestMsSQL.php ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B4E0: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B971: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B079: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B081: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==21018==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==21018==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==21018==by 0x4000816: (within /lib/ld-2.5.so) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B4E0: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x401251F: dl_open_worker (in /lib/ld-2.5.so) ==21018==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==21018==by 0x4011E48: _dl_open (in /lib/ld-2.5.so) ==21018==by 0x42065C0: do_dlopen (in /lib/libc-2.5.so) ==21018==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==21018==by 0x4206764: __libc_dlopen_mode (in /lib/libc-2.5.so) ==21018==by 0x41E11F6: __nss_lookup_function (in /lib/libc-2.5.so) ==21018==by 0x41E128F: __nss_lookup (in /lib/libc-2.5.so) ==21018==by 0x41E3025: __nss_passwd_lookup (in /lib/libc-2.5.so) ==21018==by 0x418FBFE: getpwuid_r@@GLIBC_2.1.2 (in /lib/libc-2.5.so) ==21018==by 0x408D637: tds_get_homedir (threadsafe.c:394) ==21018== ==21018== Conditional jump or move depends on uninitialised value(s) ==21018==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==21018==by 0x401251F: dl_open_worker (in /lib/ld-2.5.so) ==21018==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==21018==by 0x4011E48: _dl_open (in /lib/ld-2.5.so) ==21018==by 0x42065C0: do_dlopen (in /lib/libc-2.5.so) ==21018==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==21018==by 0x4206764: __libc_dlopen_mode (in /lib/libc-2.5.so) ==21018==by 0x41E11F6: __nss_lookup_function (in /lib/libc-2.5.so) ==21018==by 0x41E128F: __nss_lookup (in /lib/libc-2.5.so) ==21018==by 0x41E3025: __nss_passwd_lookup (in /lib/libc-2.5.so) ==21018==by 0x418FBFE: getpwuid_r@@GLIBC_2.1.2 (in /lib/libc-2.5.so) ==21018==by 0x408D637: tds_get_homedir (threadsafe.c:394) ==21018== ==21018== ERROR SUMMARY: 31 errors from 8 contexts (suppressed: 0 from 0) ==21018== malloc/free: in use at exit:
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
hi there, On Tue, Oct 14, 2008 at 09:55:27AM +0200, Pierre Joye wrote: > On Tue, Oct 14, 2008 at 8:46 AM, Krister Karlström > <[EMAIL PROTECTED]> wrote: > > About this bug #44872, I run my small sample script (posted on the bug > > reporting page) through valgrind and got the attached output. I'm not sure > > whether this shows that there's a leak in the mssql extension or if this is > > normal. Valgrind said that 853 bytes where definitely lost, does this mean > > that there is a memory leak? Hopefully someone who is better to analyze > > valgrinds output than me can tell the answer... Here's the full output from > > valgrind: > > That's exactly why it is not as easy that some may say. This report > shows the (expected sometimes) warnings with dl and something related > to the SNMP extension. The scripts in the bug report were using mysqli i don't know if it's relevant, but there was recently a fixed bug wrt snmp memory leakage: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423296 this is the debian bug report, but it has links to php.net and gentoo bug reports. it also has a patch in the report that you can directly take. the fixed debian version is 5.2.6-4, so i would expect any ubuntu package of greater version to also contain the fix, since they sync from the debian packages. sean signature.asc Description: Digital signature
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Can you try to compile PHP with --disable-all --enable-debug and a flag for the mssql extension, then try to run valgrind. From the output it seems there maybe errors in dl() library. On 14-Oct-08, at 4:15 AM, Krister Karlström wrote: Hi, I run the script on a server in our production environment, a slackware server with a self compiled PHP from source. The PHP version was 5.2.5. php-v gives the following: PHP 5.2.5 (cli) (built: Mar 28 2008 12:02:55) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies I found the problem on a development server which was running Ubuntu and apperently also the Suhosin patch (the latest available packet from Ubuntu). /Krister Karlström Pierre Joye wrote: hi, On Tue, Oct 14, 2008 at 8:46 AM, Krister Karlström <[EMAIL PROTECTED]> wrote: About this bug #44872, I run my small sample script (posted on the bug reporting page) through valgrind and got the attached output. I'm not sure whether this shows that there's a leak in the mssql extension or if this is normal. Valgrind said that 853 bytes where definitely lost, does this mean that there is a memory leak? Hopefully someone who is better to analyze valgrinds output than me can tell the answer... Here's the full output from valgrind: That's exactly why it is not as easy that some may say. This report shows the (expected sometimes) warnings with dl and something related to the SNMP extension. The scripts in the bug report were using mysqli and mssql, with all kind of possible extensions (zend optimizer, debugger, etc.) and patches applied. Did you run it using a self compiled php? Which version? Cheers, -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi, I run the script on a server in our production environment, a slackware server with a self compiled PHP from source. The PHP version was 5.2.5. php-v gives the following: PHP 5.2.5 (cli) (built: Mar 28 2008 12:02:55) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies I found the problem on a development server which was running Ubuntu and apperently also the Suhosin patch (the latest available packet from Ubuntu). /Krister Karlström Pierre Joye wrote: hi, On Tue, Oct 14, 2008 at 8:46 AM, Krister Karlström <[EMAIL PROTECTED]> wrote: About this bug #44872, I run my small sample script (posted on the bug reporting page) through valgrind and got the attached output. I'm not sure whether this shows that there's a leak in the mssql extension or if this is normal. Valgrind said that 853 bytes where definitely lost, does this mean that there is a memory leak? Hopefully someone who is better to analyze valgrinds output than me can tell the answer... Here's the full output from valgrind: That's exactly why it is not as easy that some may say. This report shows the (expected sometimes) warnings with dl and something related to the SNMP extension. The scripts in the bug report were using mysqli and mssql, with all kind of possible extensions (zend optimizer, debugger, etc.) and patches applied. Did you run it using a self compiled php? Which version? Cheers, -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
hi, On Tue, Oct 14, 2008 at 8:46 AM, Krister Karlström <[EMAIL PROTECTED]> wrote: > About this bug #44872, I run my small sample script (posted on the bug > reporting page) through valgrind and got the attached output. I'm not sure > whether this shows that there's a leak in the mssql extension or if this is > normal. Valgrind said that 853 bytes where definitely lost, does this mean > that there is a memory leak? Hopefully someone who is better to analyze > valgrinds output than me can tell the answer... Here's the full output from > valgrind: That's exactly why it is not as easy that some may say. This report shows the (expected sometimes) warnings with dl and something related to the SNMP extension. The scripts in the bug report were using mysqli and mssql, with all kind of possible extensions (zend optimizer, debugger, etc.) and patches applied. Did you run it using a self compiled php? Which version? Cheers, -- Pierre http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi, About this bug #44872, I run my small sample script (posted on the bug reporting page) through valgrind and got the attached output. I'm not sure whether this shows that there's a leak in the mssql extension or if this is normal. Valgrind said that 853 bytes where definitely lost, does this mean that there is a memory leak? Hopefully someone who is better to analyze valgrinds output than me can tell the answer... Here's the full output from valgrind: ==3285== Memcheck, a memory error detector. ==3285== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==3285== Using LibVEX rev 1854, a library for dynamic binary translation. ==3285== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==3285== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==3285== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==3285== For more details, rerun with: -v ==3285== ==3285== My PID = 3285, parent PID = 2824. Prog and args are: ==3285==php ==3285==TestMsSQL.php ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B4E0: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B971: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x4004027: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B079: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B081: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x400413D: dl_main (in /lib/ld-2.5.so) ==3285==by 0x4014A05: _dl_sysdep_start (in /lib/ld-2.5.so) ==3285==by 0x4000C2F: _dl_start (in /lib/ld-2.5.so) ==3285==by 0x4000816: (within /lib/ld-2.5.so) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B4E0: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x401251F: dl_open_worker (in /lib/ld-2.5.so) ==3285==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==3285==by 0x4011E48: _dl_open (in /lib/ld-2.5.so) ==3285==by 0x4250C2C: dlopen_doit (in /lib/libdl-2.5.so) ==3285==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==3285==by 0x42512AB: _dlerror_run (in /lib/libdl-2.5.so) ==3285==by 0x4250B60: dlopen@@GLIBC_2.1 (in /lib/libdl-2.5.so) ==3285==by 0x8137D22: php_dl (in /usr/bin/php) ==3285==by 0x81AA0C2: (within /usr/bin/php) ==3285==by 0x81E0007: zend_llist_apply (in /usr/bin/php) ==3285==by 0x81AA066: php_ini_register_extensions (in /usr/bin/php) ==3285== ==3285== Conditional jump or move depends on uninitialised value(s) ==3285==at 0x400B1C2: _dl_relocate_object (in /lib/ld-2.5.so) ==3285==by 0x401251F: dl_open_worker (in /lib/ld-2.5.so) ==3285==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==3285==by 0x4011E48: _dl_open (in /lib/ld-2.5.so) ==3285==by 0x4250C2C: dlopen_doit (in /lib/libdl-2.5.so) ==3285==by 0x400E3B1: _dl_catch_error (in /lib/ld-2.5.so) ==3285==by 0x42512AB: _dlerror_run (in /lib/libdl-2.5.so) ==3285==by 0x4250B60: dlopen@@GLIBC_2.1 (in /lib/libdl-2.5.so) ==3285==by 0x8137D22: php_dl (in /usr/bin/php) ==3285==by 0x81AA0C2: (within /usr/bin/php) ==3285==by 0x81E0007: zend_llist_apply (in /usr/bin/php) ==3285==by 0x81AA066: php_ini_register_extensions (in /usr/bin/php) ==3285== ==3285== Invalid read of size 1 ==3285==at 0x5261F7B: (within /usr/lib/libnetsnmp.so.15.1.1) ==3285==by 0x52622DA: read_config_files (in /usr/li
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi! I re-run the small simple script that I posted on the bug tracking page. This time I used a Slackware server with PHP 5.2.5 (no Suhosin or other patches), compiled from source. php -v gives: PHP 5.2.5 (cli) (built: Mar 28 2008 12:02:55) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies This is the summary of the run: ==3182== ERROR SUMMARY: 159 errors from 10 contexts (suppressed: 0 from 0) ==3182== malloc/free: in use at exit: 3,174 bytes in 23 blocks. ==3182== malloc/free: 44,130 allocs, 44,107 frees, 3,189,161 bytes allocated. ==3182== For counts of detected errors, rerun with: -v ==3182== searching for pointers to 23 not-freed blocks. ==3182== checked 541,584 bytes. ==3182== ==3182== LEAK SUMMARY: ==3182==definitely lost: 853 bytes in 12 blocks. ==3182== possibly lost: 0 bytes in 0 blocks. ==3182==still reachable: 2,321 bytes in 11 blocks. ==3182== suppressed: 0 bytes in 0 blocks. ==3182== Rerun with --leak-check=full to see details of leaked memory. I need some help with analyzing the full output, so if it's OK for you Ilia I will mail you the full output from valgrind. /Krister Karlström Ilia Alshanetsky wrote: The error messages comes from Suhosin, which is why a basic PHP environment does not exhibit this problem. What I can ask you to try is to run the affected code on a basic PHP environment through valgrind and see if it reports any errors. If it does not, there is a chance it maybe a false positive on the part of Suhosin. If it does report a problem however, then mssql extension has a bug and valgrind output should be good enough to identify the where & the why. On 10-Oct-08, at 7:18 AM, Krister Karlström wrote: Hi, This bug #44872 puzzles me, I experienced it today running testcases with PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli). The operation mssql_free_result() is terminated by Suhosin with the following message: ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'TestMsSQL.php', line 16) The bug report for this matter has status "No feedback". The bug was reported on 30 Apr 5:19pm UTC, and status was changed to "no feedback" on 10 May 1:00am UTC. However, after that some comments confirming this bug have been posted, including myself today. Does anyone know where's the _source_ of this problem? Is it in the source code of PHP or in the Suhosin patch? I have not encountered this problem in a "pure" Slackware environment where the Suhosin patch is not used, so it seems like a Suhosin issue. It might as well be a bug in PHP that Suhosin catches... Maybe someone should re-open this ticket? http://bugs.php.net/bug.php?id=44872 Greetings, Krister Karlström, Helsinki, Finland -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php Ilia Alshanetsky -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
hi, On Fri, Oct 10, 2008 at 5:03 PM, Stefan Esser <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > >> a false positive on the part of Suhosin. If it does report a problem >> however, then mssql extension has a bug and valgrind output should be >> good enough to identify the where & the why. > > valgrind cannot (by definition) see all memory problems Suhosin detects. It can detect some memory issues and that's what we are asking to try. If it fails, we will investigate further, obviously :) Cheers, -- Pierre http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, > a false positive on the part of Suhosin. If it does report a problem > however, then mssql extension has a bug and valgrind output should be > good enough to identify the where & the why. valgrind cannot (by definition) see all memory problems Suhosin detects. Stefan Esser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjvbr4ACgkQSuF5XhWr2ngkKQCgniliTOQKjqpOJMS30lN2+Vf5 +NMAmgP3FtFlZnmoctZhAI67rDSDqdOI =M9h8 -END PGP SIGNATURE- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
OK, thanks Ilia! I'm gonna try the valgrind. Will report back later. /Krister Karlström Ilia Alshanetsky wrote: The error messages comes from Suhosin, which is why a basic PHP environment does not exhibit this problem. What I can ask you to try is to run the affected code on a basic PHP environment through valgrind and see if it reports any errors. If it does not, there is a chance it maybe a false positive on the part of Suhosin. If it does report a problem however, then mssql extension has a bug and valgrind output should be good enough to identify the where & the why. On 10-Oct-08, at 7:18 AM, Krister Karlström wrote: Hi, This bug #44872 puzzles me, I experienced it today running testcases with PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli). The operation mssql_free_result() is terminated by Suhosin with the following message: ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'TestMsSQL.php', line 16) The bug report for this matter has status "No feedback". The bug was reported on 30 Apr 5:19pm UTC, and status was changed to "no feedback" on 10 May 1:00am UTC. However, after that some comments confirming this bug have been posted, including myself today. Does anyone know where's the _source_ of this problem? Is it in the source code of PHP or in the Suhosin patch? I have not encountered this problem in a "pure" Slackware environment where the Suhosin patch is not used, so it seems like a Suhosin issue. It might as well be a bug in PHP that Suhosin catches... Maybe someone should re-open this ticket? http://bugs.php.net/bug.php?id=44872 Greetings, Krister Karlström, Helsinki, Finland -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php Ilia Alshanetsky -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi, Yes, I do understand that you only support official versions of PHP and I totally agree with you. No, I haven't tried to catch the error using valgrind yet. I just wanted to raise the question, since I'm not really sure whether this is a problem caused by the Suhosin patch or if it's indeed a memory problem somewhere in PHP which is discovered by Suhosin. Or does Suhosin "detect" such things? Anyway, we shouldn't be using Suhosin in first place (it's installed only on one webserver), so I'm gonna throw this patched package out and replace it with a pure PHP environment... :) /Krister Karlström Pierre Joye wrote: hi, On Fri, Oct 10, 2008 at 1:18 PM, Krister Karlström <[EMAIL PROTECTED]> wrote: Hi, This bug #44872 puzzles me, I experienced it today running testcases with PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli). We support only our official releases, not patched versions like ubuntu, debian or using Suhosin. Have you tried to run your script (the last small one) using an official version through valgrind? -- Pierre http://blog.thepimp.net | http://www.libgd.org -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
The error messages comes from Suhosin, which is why a basic PHP environment does not exhibit this problem. What I can ask you to try is to run the affected code on a basic PHP environment through valgrind and see if it reports any errors. If it does not, there is a chance it maybe a false positive on the part of Suhosin. If it does report a problem however, then mssql extension has a bug and valgrind output should be good enough to identify the where & the why. On 10-Oct-08, at 7:18 AM, Krister Karlström wrote: Hi, This bug #44872 puzzles me, I experienced it today running testcases with PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli). The operation mssql_free_result() is terminated by Suhosin with the following message: ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'TestMsSQL.php', line 16) The bug report for this matter has status "No feedback". The bug was reported on 30 Apr 5:19pm UTC, and status was changed to "no feedback" on 10 May 1:00am UTC. However, after that some comments confirming this bug have been posted, including myself today. Does anyone know where's the _source_ of this problem? Is it in the source code of PHP or in the Suhosin patch? I have not encountered this problem in a "pure" Slackware environment where the Suhosin patch is not used, so it seems like a Suhosin issue. It might as well be a bug in PHP that Suhosin catches... Maybe someone should re-open this ticket? http://bugs.php.net/bug.php?id=44872 Greetings, Krister Karlström, Helsinki, Finland -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
hi, On Fri, Oct 10, 2008 at 1:18 PM, Krister Karlström <[EMAIL PROTECTED]> wrote: > Hi, > > This bug #44872 puzzles me, I experienced it today running testcases with > PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu > Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with > Suhosin-Patch 0.9.6.2 (cli). We support only our official releases, not patched versions like ubuntu, debian or using Suhosin. Have you tried to run your script (the last small one) using an official version through valgrind? -- Pierre http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Bug #44872 canary mismatch on efree() - heap overflow detected
Hi, This bug #44872 puzzles me, I experienced it today running testcases with PHPUnit on command line, thus invoking PHP CLI. I'm working on a Ubuntu Hardy 8.0.4 server, using PHP 5.2.4-2ubuntu5.3 with Suhosin-Patch 0.9.6.2 (cli). The operation mssql_free_result() is terminated by Suhosin with the following message: ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'TestMsSQL.php', line 16) The bug report for this matter has status "No feedback". The bug was reported on 30 Apr 5:19pm UTC, and status was changed to "no feedback" on 10 May 1:00am UTC. However, after that some comments confirming this bug have been posted, including myself today. Does anyone know where's the _source_ of this problem? Is it in the source code of PHP or in the Suhosin patch? I have not encountered this problem in a "pure" Slackware environment where the Suhosin patch is not used, so it seems like a Suhosin issue. It might as well be a bug in PHP that Suhosin catches... Maybe someone should re-open this ticket? http://bugs.php.net/bug.php?id=44872 Greetings, Krister Karlström, Helsinki, Finland -- * Ing. Krister Karlström, Zend Certified Engineer * * Systemutvecklare, IT-Centralen * * Arcada - Nylands Svenska Yrkeshögskola * * Jan-Magnus Janssons plats 1, 00550 Helsingfors, Finland * * Tel: +358(20)7699699 GSM: +358(50)5328390 * * E-mail: [EMAIL PROTECTED] * -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php