Edit report at https://bugs.php.net/bug.php?id=60339&edit=1
ID: 60339 Updated by: fel...@php.net Reported by: yohgaki at ohgaki dot net Summary: valgrind reports LEAK --with-mm -Status: Open +Status: Closed Type: Bug Package: Session related Operating System: Linux PHP Version: 5.4.0RC1 -Assigned To: +Assigned To: felipe Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. I can reproduce it. :P Patch committed, thanks! Previous Comments: ------------------------------------------------------------------------ [2011-11-19 18:50:37] fel...@php.net Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=319553 Log: - Fixed bug #60339 (valgrind reports LEAK --with-mm) patch by: yohgaki at ohgaki dot net ------------------------------------------------------------------------ [2011-11-19 18:30:23] yohgaki at ohgaki dot net I've tested as follows. (from my bash history) 1004 tar zxvf ../Download/php-5.4.0RC1.tar.bz2 1005 cd php-5.4.0RC1/ 1006 ./configure --with-mm && make -j 8 1007 TEST_PHP_EXECUTABLE="./sapi/cli/php" ./run-tests.php -m ext/session/ Felipe, if you could commit the patch, I appreciated it. If you take a look at PHP_MINIT_FUNCTION(ps_mm) in ext/session/mod_mm.c, you'll see it will underflow by 1 byte when strlen(PS(save_path)) equals 0. ------------------------------------------------------------------------ [2011-11-19 18:20:44] yohgaki at ohgaki dot net Since my tree is full of changes for strict session patch. Could anyone commit patch for this bug? Patch should be applied to php-src, php-src-5.4 and php-src-5.3. I'm not sure if this bug is exploitable with current memory manager. Since DEFAULT_SLASH would be ascii 47 or 97, it would be difficult. ------------------------------------------------------------------------ [2011-11-19 18:10:06] fel...@php.net I can't reproduce it, are you using any .INI? ===================================================================== PHP : sapi/cli/php PHP_SAPI : cli PHP_VERSION : 5.4.0RC2-dev ZEND_VERSION: 2.4.0 PHP_OS : Linux - Linux sig11 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 INI actual : /home/felipe/dev/php5_4 More .INIs : CWD : /home/felipe/dev/php5_4 Extra dirs : VALGRIND : valgrind-3.6.0.SVN-Debian ===================================================================== ------------------------------------------------------------------------ [2011-11-19 17:59:23] yohgaki at ohgaki dot net I figured out the cause. This is simple underflow. The correct patch is this. --- mod_mm.c (ãªãã¸ã§ã³ 319529) +++ mod_mm.c (ä½æ¥ã³ãã¼) @@ -278,7 +278,7 @@ ps_mm_path = emalloc(save_path_len + 1 + (sizeof(PS_MM_FILE) - 1) + mod_name_len + euid_len + 1); memcpy(ps_mm_path, PS(save_path), save_path_len); - if (PS(save_path)[save_path_len - 1] != DEFAULT_SLASH) { + if (save_path_len && PS(save_path)[save_path_len - 1] != DEFAULT_SLASH) { ps_mm_path[save_path_len] = DEFAULT_SLASH; save_path_len++; } ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=60339 -- Edit this bug report at https://bugs.php.net/bug.php?id=60339&edit=1