#50359 [Com]: Random crash on new SoapServer
ID: 50359 Comment by: datacompboy at call2ru dot com Reported By: datacompboy at call2ru dot com Status: Feedback Bug Type: SOAP related Operating System: Linux 2.6.31-1-amd64 PHP Version: 5.2.11 New Comment: Rebuilding without suhosin with latest tarball. Will post bt as soon, as crash reproduced again. Previous Comments: [2009-12-02 13:58:41] j...@php.net Please try using this snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ And do not add any 3rd party patches (Suhosin) or load any zend extensions (apc, etc.) when you produce the backtrace. Also, simple backtrace is usually quite enough, just bt.. [2009-12-02 12:16:00] datacompboy at call2ru dot com Description: Sometimes (from 1-2-3 times in a day to 1 time at 3-4 days) every-minute cron, that fetches from WS, written via SoapServer gets "Bad Gateway" reply. On server-side there an [notice] child pid 1892 exit signal Segmentation fault (11) in error.log and one of: kernel: [3878097.399362] php[23893]: segfault at 7fa3e51aded0 ip 7fa3e51aded0 sp 7fa3e35f0128 error 14 in librt-2.9.so[7fa3e9822000+7000] kernel: [3879416.960444] php[24282]: segfault at 7ff7addc9edb ip 7ff7ab8024d7 sp 7ff7ac20bca0 error 4 in libgcc_s.so.1[7ff7ab7f1000+1a000] in dmesg. After suhosin enabled in sumulation mode, there [error] [client 87.106.137.135] ALERT-SIMULATION - canary mismatch on efree() - heap overflow detected (attacker '87.106.137.135', file '/var/www/yii/framework/web/services/CWebService.php', line 154) messages. Same request executed right after error works fine. So, i have enabled buffer overflow coredump in suhosin, and here an coredump attached. Can't post full reproduce code, since crash very random. System is dual-core Opteron. PHP 5.2.11-1 with Suhosin-Patch 0.9.7 (cli) (built: Sep 20 2009 11:41:46) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH Reproduce code: --- Dies every time on $server=new SoapServer($this->wsdlUrl,$this->getOptions()); where $this->wsdlUrl = "http://dev-eworld.direktbill.de/y/wsdl/quote";; Expected result: Always works Actual result: -- #0 0x7f699b9c566b in suhosin_log () from /usr/lib/php5/20060613/suhosin.so No symbol table info available. #1 0x7f69a402e1dd in _zend_mm_free_int (heap=0xf3eb40, p=0x1374360) at /tmp/buildd/php5-5.2.11.dfsg.1/Zend/zend_alloc.c:2036 check = 18433888 mm_block = 0x1374338 next_block = 0x7f69a4537e40 size = 0 #2 0x7f69a401927b in php_stream_tidy_wrapper_error_log (wrapper=0x7f69a4537e40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:195 i = 1 #3 0x7f69a401aae5 in _php_stream_open_wrapper_ex (path=0x1194760 "http://dev-eworld.direktbill.de/y/wsdl/quote";, mode=0x7f69a25c51a0 "\220\066\350\246i\177", options=12, opened_path=0x0, context=0x131ec40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:1899 stream = 0x131ec40 wrapper = 0x7f69a4537e40 path_to_open = 0x10814a8 "@~S\244i\177" persistent = 0
#50359 [NEW]: Random crash on new SoapServer
From: datacompboy at call2ru dot com Operating system: Linux 2.6.31-1-amd64 PHP version: 5.2.11 PHP Bug Type: Reproducible crash Bug description: Random crash on new SoapServer Description: Sometimes (from 1-2-3 times in a day to 1 time at 3-4 days) every-minute cron, that fetches from WS, written via SoapServer gets "Bad Gateway" reply. On server-side there an [notice] child pid 1892 exit signal Segmentation fault (11) in error.log and one of: kernel: [3878097.399362] php[23893]: segfault at 7fa3e51aded0 ip 7fa3e51aded0 sp 7fa3e35f0128 error 14 in librt-2.9.so[7fa3e9822000+7000] kernel: [3879416.960444] php[24282]: segfault at 7ff7addc9edb ip 7ff7ab8024d7 sp 7ff7ac20bca0 error 4 in libgcc_s.so.1[7ff7ab7f1000+1a000] in dmesg. After suhosin enabled in sumulation mode, there [error] [client 87.106.137.135] ALERT-SIMULATION - canary mismatch on efree() - heap overflow detected (attacker '87.106.137.135', file '/var/www/yii/framework/web/services/CWebService.php', line 154) messages. Same request executed right after error works fine. So, i have enabled buffer overflow coredump in suhosin, and here an coredump attached. Can't post full reproduce code, since crash very random. System is dual-core Opteron. PHP 5.2.11-1 with Suhosin-Patch 0.9.7 (cli) (built: Sep 20 2009 11:41:46) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH Reproduce code: --- Dies every time on $server=new SoapServer($this->wsdlUrl,$this->getOptions()); where $this->wsdlUrl = "http://dev-eworld.direktbill.de/y/wsdl/quote";; Expected result: Always works Actual result: -- #0 0x7f699b9c566b in suhosin_log () from /usr/lib/php5/20060613/suhosin.so No symbol table info available. #1 0x7f69a402e1dd in _zend_mm_free_int (heap=0xf3eb40, p=0x1374360) at /tmp/buildd/php5-5.2.11.dfsg.1/Zend/zend_alloc.c:2036 check = 18433888 mm_block = 0x1374338 next_block = 0x7f69a4537e40 size = 0 #2 0x7f69a401927b in php_stream_tidy_wrapper_error_log (wrapper=0x7f69a4537e40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:195 i = 1 #3 0x7f69a401aae5 in _php_stream_open_wrapper_ex (path=0x1194760 "http://dev-eworld.direktbill.de/y/wsdl/quote";, mode=0x7f69a25c51a0 "\220\066\350\246i\177", options=12, opened_path=0x0, context=0x131ec40) at /tmp/buildd/php5-5.2.11.dfsg.1/main/streams/streams.c:1899 stream = 0x131ec40 wrapper = 0x7f69a4537e40 path_to_open = 0x10814a8 "@~S\244i\177" persistent = 0 copy_of_path = 0x7fffe4fe11ef "" #4 0x7f69a3e63b89 in php_libxml_streams_IO_open_wrapper ( filename=0x1194760 "http://dev-eworld.direktbill.de/y/wsdl/quote";, mode=0x7f69a40c6d7f "rb", read_only=1) at /tmp/buildd/php5-5.2.11.dfsg.1/ext/libxml/libxml.c:323 ssbuf = {sb = {st_dev = 2749774729, st_ino = 23387733, st_nlink = 2803224128, st_mode = 20143263, st_uid = 0, st_gid = 2803224128, __pad0 = 32617, st_rdev = 20143287, st_size