From: Operating system: Debian Squeeze PHP version: 5.3.9RC4 Package: FPM related Bug Type: Bug Bug description:memory corruption when web server closed the fcgi fd(?)
Description: ------------ I tried php5.3.9RC4 today and got a few core dumps. I think b)fcgi_flush() returns false, making fcgi_write return -1. Then sapi_cgibin_single_write will make it positive because ret is unsigned in c). As a result, the comparison in d) will fail. In debugger it looks like PHP is looping over open_packet() in an infinite loop. Each time out_pos gets increased a little. Finally, after overwriting the whole stack, it will SIGSEGV. === https://svn.php.net/repository/php/php-src/tags/php_5_3_9RC4/sapi/fpm/fpm/fastcgi.c === int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int len) { int limit, rest; if (len <= 0) { return 0; } if (req->out_hdr && req->out_hdr->type != type) { close_packet(req); } /* Optimized version */ limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf); if (!req->out_hdr) { limit -= sizeof(fcgi_header); if (limit < 0) limit = 0; } if (len < limit) { if (!req->out_hdr) { open_packet(req, type); } memcpy(req->out_pos, str, len); req->out_pos += len; } else if (len - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) { if (!req->out_hdr) { a) open_packet(req, type); } if (limit > 0) { memcpy(req->out_pos, str, limit); req->out_pos += limit; } if (!fcgi_flush(req, 0)) { b) return -1; } === https://svn.php.net/repository/php/php-src/tags/php_5_3_9RC4/sapi/fpm/fpm/fpm_main.c === static inline size_t sapi_cgibin_single_write(const char *str, uint str_length TSRMLS_DC) { c) size_t ret; /* sapi has started which means everyhting must be send through fcgi */ if (fpm_is_running) { fcgi_request *request = (fcgi_request*) SG(server_context); ret = fcgi_write(request, FCGI_STDOUT, str, str_length); d) if (ret <= 0) { return 0; } return ret; } -- Edit bug report at https://bugs.php.net/bug.php?id=60629&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60629&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60629&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60629&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60629&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60629&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60629&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60629&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60629&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60629&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60629&r=support Expected behavior: https://bugs.php.net/fix.php?id=60629&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60629&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60629&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60629&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60629&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60629&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60629&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60629&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60629&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60629&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60629&r=mysqlcfg