#50359 [Com]: Random crash on new SoapServer
ID: 50359 Comment by: datacompboy at call2ru dot com Reported By: datacompboy at call2ru dot com Status: Feedback Bug Type: SOAP related Operating System: Linux 2.6.31-1-amd64 PHP Version: 5.2.11 New Comment: Rebuilding without suhosin with latest tarball. Will post bt as soon, as crash reproduced again. Previous Comments: [2009-12-02 13:58:41] j...@php.net Please try using this snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ And do not add any 3rd party patches (Suhosin) or load any zend extensions (apc, etc.) when you produce the backtrace. Also, simple backtrace is usually quite enough, just bt.. [2009-12-02 12:16:00] datacompboy at call2ru dot com Description: Sometimes (from 1-2-3 times in a day to 1 time at 3-4 days) every-minute cron, that fetches from WS, written via SoapServer gets "Bad Gateway" reply. On server-side there an [notice] child pid 1892 exit signal Segmentation fault (11) in error.log and one of: kernel: [3878097.399362] php[23893]: segfault at 7fa3e51aded0 ip 7fa3e51aded0 sp 7fa3e35f0128 error 14 in librt-2.9.so[7fa3e9822000+7000] kernel: [3879416.960444] php[24282]: segfault at 7ff7addc9edb ip 7ff7ab8024d7 sp 7ff7ac20bca0 error 4 in libgcc_s.so.1[7ff7ab7f1000+1a000] in dmesg. After suhosin enabled in sumulation mode, there [error] [client 87.106.137.135] ALERT-SIMULATION - canary mismatch on efree() - heap overflow detected (attacker '87.106.137.135', file '/var/www/yii/framework/web/services/CWebService.php', line 154) messages. Same request executed right after error works fine. So, i have enabled buffer overflow coredump in suhosin, and here an coredump attached. Can't post full reproduce code, since crash very random. System is dual-core Opteron. PHP 5.2.11-1 with Suhosin-Patch 0.9.7 (cli) (built: Sep 20 2009 11:41:46) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH Reproduce code: --- Dies every time on $server=new SoapServer($this->wsdlUrl,$this->getOptions()); where $this->wsdlUrl = "http://dev-eworld.direktbill.de/y/wsdl/quote";; Expected result: Always works Actual result: -- #0 0x7f699b9c566b in suhosin_log () from /usr/lib/php5/20060613/suhosin.so No symbol table info available. #1 0x7f69a402e1dd in _zend_mm_free_int (heap=0xf3eb40, p=0x1374360) at /tmp/buildd/php5-5.2.11.dfsg.1/Zend/zend_alloc.c:2036 check = 18433888 mm_block = 0x1374338 next_block = 0x7f69a4537e40 size = 0 #2 0x7f69a401927b in php_stream_tidy_wrapper_error_log (wrapper=0x7f69a4537e40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:195 i = 1 #3 0x7f69a401aae5 in _php_stream_open_wrapper_ex (path=0x1194760 "http://dev-eworld.direktbill.de/y/wsdl/quote";, mode=0x7f69a25c51a0 "\220\066\350\246i\177", options=12, opened_path=0x0, context=0x131ec40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:1899 stream = 0x131ec40 wrapper = 0x7f69a4537e40 path_to_open = 0x10814a8 "@~S\244i\177" persistent = 0
#50359 [NEW]: Random crash on new SoapServer
From: datacompboy at call2ru dot com
Operating system: Linux 2.6.31-1-amd64
PHP version: 5.2.11
PHP Bug Type: Reproducible crash
Bug description: Random crash on new SoapServer
Description:
Sometimes (from 1-2-3 times in a day to 1 time at 3-4 days) every-minute
cron, that fetches from WS, written via SoapServer gets "Bad Gateway"
reply.
On server-side there an
[notice] child pid 1892 exit signal Segmentation fault (11)
in error.log
and one of:
kernel: [3878097.399362] php[23893]: segfault at 7fa3e51aded0 ip
7fa3e51aded0 sp 7fa3e35f0128 error 14 in librt-2.9.so[7fa3e9822000+7000]
kernel: [3879416.960444] php[24282]: segfault at 7ff7addc9edb ip
7ff7ab8024d7 sp 7ff7ac20bca0 error 4 in libgcc_s.so.1[7ff7ab7f1000+1a000]
in dmesg.
After suhosin enabled in sumulation mode, there
[error] [client 87.106.137.135] ALERT-SIMULATION - canary mismatch on
efree() - heap overflow detected (attacker '87.106.137.135', file
'/var/www/yii/framework/web/services/CWebService.php', line 154)
messages.
Same request executed right after error works fine.
So, i have enabled buffer overflow coredump in suhosin, and here an
coredump attached.
Can't post full reproduce code, since crash very random.
System is dual-core Opteron.
PHP 5.2.11-1 with Suhosin-Patch 0.9.7 (cli) (built: Sep 20 2009 11:41:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH
Reproduce code:
---
Dies every time on
$server=new SoapServer($this->wsdlUrl,$this->getOptions());
where
$this->wsdlUrl = "http://dev-eworld.direktbill.de/y/wsdl/quote";;
Expected result:
Always works
Actual result:
--
#0 0x7f699b9c566b in suhosin_log () from
/usr/lib/php5/20060613/suhosin.so
No symbol table info available.
#1 0x7f69a402e1dd in _zend_mm_free_int (heap=0xf3eb40, p=0x1374360)
at /tmp/buildd/php5-5.2.11.dfsg.1/Zend/zend_alloc.c:2036
check = 18433888
mm_block = 0x1374338
next_block = 0x7f69a4537e40
size = 0
#2 0x7f69a401927b in php_stream_tidy_wrapper_error_log
(wrapper=0x7f69a4537e40)
at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:195
i = 1
#3 0x7f69a401aae5 in _php_stream_open_wrapper_ex (path=0x1194760
"http://dev-eworld.direktbill.de/y/wsdl/quote";,
mode=0x7f69a25c51a0 "\220\066\350\246i\177", options=12,
opened_path=0x0, context=0x131ec40)
at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:1899
stream = 0x131ec40
wrapper = 0x7f69a4537e40
path_to_open = 0x10814a8 "@~S\244i\177"
persistent = 0
copy_of_path = 0x7fffe4fe11ef ""
#4 0x7f69a3e63b89 in php_libxml_streams_IO_open_wrapper (
filename=0x1194760 "http://dev-eworld.direktbill.de/y/wsdl/quote";,
mode=0x7f69a40c6d7f "rb", read_only=1)
at /tmp/buildd/php5-5.2.11.dfsg.1/ext/libxml/libxml.c:323
ssbuf = {sb = {st_dev = 2749774729, st_ino = 23387733, st_nlink =
2803224128, st_mode = 20143263, st_uid = 0,
st_gid = 2803224128, __pad0 = 32617, st_rdev = 20143287,
st_size
