Debian Bug report logs - #450581
libapache2-mod-php5: ob_start (with gzhandler?) takes 100% mem+swap within a few seconds

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: tluyben <debian@ab.tl>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-php5: ob_start (with gzhandler?) takes 100% mem+swap within a few seconds

Date: Thu, 08 Nov 2007 11:42:02 +0100

Package: libapache2-mod-php5
Version: 5.x
Severity: critical
Justification: breaks the whole system

More info; 

http://brainfish-eat-fishbrain.blogspot.com/2007/11/checking-what-is-eating-your-memory_08.html

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686-bigmem
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Message #10 received at 450581@bugs.debian.org (full text, mbox, reply):

From: tluyben <debian@ab.tl>

To: 450581@bugs.debian.org

Subject: Additional information

Date: Thu, 8 Nov 2007 11:58:15 +0100

[Message part 1 (text/plain, inline)]

I tried different versions of PHP5; the latest Ubuntu  version has the
problem as well and
both Sarge & Etch  of deb are  affected.

I can send the reproducing code to someone privately if required, but it is
a site
by a client, so I cannot put it in the mailinglist.

[Message part 2 (text/html, inline)]

Message #15 received at 450581@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: tluyben <debian@ab.tl>, 450581@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [php-maint] Bug#450581: libapache2-mod-php5: ob_start (with gzhandler?) takes 100% mem+swap within a few seconds

Date: Thu, 08 Nov 2007 14:45:42 +0100

severity 450581 normal
thank you

It's normal bug in php.  Certainly not critical.  Linux systems has
several ways how to prevent processes eating all the available memory.

For the record:

Finally I found out what it was AND it was / is (using this script) a
major flaw in the (gz) output handler; a user on the server uses in his
code;

ob_start("ob_gzhandler", 9);

something();

ob_flush();

If something() generates a certain amounts of data, the ob_gzhandler
will get stuck in a loop, eating all memory. 

In the user his particular case, because his database was not working,
some pages always have this 'magic size' (probably some factor of 9 in
this case). 

I tried this on the latest stable of PHP 5 and the bug is still there;
you can crash any php hosting machine on the net with this :(

As to prevent this kind of thing from happening, I put the following
code on the machines; 




#!/usr/bin/perl

$maxmem=10;

while(1) {
  @r=`ps auxwhww|awk '{print \$4,\$2,\$11,\$12,\$13,\$15}'|grep httpd-users|grep -v grep`;
  foreach(@r) {
   chomp;
   /(.*?)\ (.*?)\ (.*)/;
   if ($1>$maxmem) {
    print "$_ killed\n";
    `kill -9 $2`;
   }
  sleep 1;
}


Update: Only PHP5.x is affected, not lower (tested); didn't try higher.
I have code to reproduce it every run.


tluyben píše v Čt 08. 11. 2007 v 11:42 +0100:
> Package: libapache2-mod-php5
> Version: 5.x
> Severity: critical
> Justification: breaks the whole system
> 
> More info; 
> 
> http://brainfish-eat-fishbrain.blogspot.com/2007/11/checking-what-is-eating-your-memory_08.html
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-3-686-bigmem
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> 
> 
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/
Nehoupat, prosím               ***  http://nehoupat.blogspot.com/

Message #22 received at 450581@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: tluyben <debian@ab.tl>

Cc: 450581@bugs.debian.org

Subject: Re: [php-maint] Bug#450581: libapache2-mod-php5: ob_start (with gzhandler?) takes 100% mem+swap within a few seconds

Date: Thu, 08 Nov 2007 15:03:08 +0100

> Yeah, my admin tried a bunch of those methods; the machines went down 
> every time.  But that might have been a config issue; it makes php
> unusable at any rate as I can DOS any server running php5 now. 

I am sure that running php as fastcgi in ulimited environment will help.

Fact that libapache2-mod-php5 is unsafe in shared environment is unsafe
was true even before this bug.

Ondrej.
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/
Nehoupat, prosím               ***  http://nehoupat.blogspot.com/

Message #27 received at 450581@bugs.debian.org (full text, mbox, reply):

From: tluyben <debian@ab.tl>

To: "Ondřej Surý" <ondrej@sury.org>

Cc: 450581@bugs.debian.org

Subject: Re: [php-maint] Bug#450581: libapache2-mod-php5: ob_start (with gzhandler?) takes 100% mem+swap within a few seconds

Date: Thu, 8 Nov 2007 15:17:02 +0100

[Message part 1 (text/plain, inline)]

Yes, you are very right; we were moving to that set-up anyway. Thank you.

On Nov 8, 2007 3:03 PM, Ondřej Surý <ondrej@sury.org> wrote:

>
>
> > Yeah, my admin tried a bunch of those methods; the machines went down
> > every time.  But that might have been a config issue; it makes php
> > unusable at any rate as I can DOS any server running php5 now.
>
> I am sure that running php as fastcgi in ulimited environment will help.
>
> Fact that libapache2-mod-php5 is unsafe in shared environment is unsafe
> was true even before this bug.
>
> Ondrej.
> --
> Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
> Kulturní občasník              ***  http://www.obcasnik.cz/
> Nehoupat, prosím               ***  http://nehoupat.blogspot.com/
>
>
>

[Message part 2 (text/html, inline)]

Message #32 received at 450581-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 465081-done@bugs.debian.org, 537794-done@bugs.debian.org, 553048-done@bugs.debian.org, 574610-done@bugs.debian.org, 584885-done@bugs.debian.org, 584957-done@bugs.debian.org, 594613-done@bugs.debian.org, 493045-done@bugs.debian.org, 549492-done@bugs.debian.org, 450581-done@bugs.debian.org, 502174-done@bugs.debian.org, 543177-done@bugs.debian.org, 547134-done@bugs.debian.org, 552089-done@bugs.debian.org, 556523-done@bugs.debian.org, 559273-done@bugs.debian.org, 576147-done@bugs.debian.org, 578754-done@bugs.debian.org, 601602-done@bugs.debian.org, 609355-done@bugs.debian.org, 419649-done@bugs.debian.org, 442063-done@bugs.debian.org, 500567-done@bugs.debian.org, 513429-done@bugs.debian.org, 528600-done@bugs.debian.org, 597650-done@bugs.debian.org, 603641-done@bugs.debian.org, 405067-done@bugs.debian.org, 430397-done@bugs.debian.org, 440775-done@bugs.debian.org, 591759-done@bugs.debian.org, 565387-done@bugs.debian.org, 507762-done@bugs.debian.org, 529278-done@bugs.debian.org, 556459-done@bugs.debian.org

Subject: Closing segfaults (and some other minor bugs) for version older than squeeze (5.3.3)

Date: Wed, 27 Apr 2011 10:28:24 +0200

Version: 5.3.3-7

Hi,

since lenny is oldstable it will not get any updates now (except
security)[1], I am closing all segfault bugs filled against php5 in
lenny. (This is kind of saying that we don't care much about php5 in
lenny anymore).

If you believe the bug is still there, please provide evidence[2] and
a (preferably complete) test case with up-to-date squeeze (and/or
testing or unstable) version of php5 and reopen the bug.

O.
1. http://wiki.debian.org/PHP#Notes_on_PHP_and_security
2. Install php5-dbg and provide backtrace:
http://bugs.php.net/bugs-generating-backtrace.php
-- 
Ondřej Surý <ondrej@sury.org>

Send a report that this bug log contains spam.