Debian Bug report logs - #535148
heap overflows after upgrade to 5.2.10

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michal Čihař <nijel@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: heap overflows after upgrade to 5.2.10

Date: Tue, 30 Jun 2009 08:58:53 +0200

Package: php5-cgi
Version: 5.2.10.dfsg.1-1
Severity: important

Just after upgrade from 5.2.9 to 5.2.10, php-cgi started to segfault and
suhosin complains about heap overflow:

suhosin[22305]: ALERT - canary mismatch on efree() - heap overflow
detected

Downgrading back to 5.2.9 fixes this issue.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-vserver-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-cgi depends on:
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.9-18            GNU C Library: Shared libraries
ii  libcomerr2             1.41.6-1          common error description library
ii  libdb4.7               4.7.25-7          Berkeley v4.7 Database Libraries [
ii  libgssapi-krb5-2       1.7dfsg~beta3-1   MIT Kerberos runtime libraries - k
ii  libk5crypto3           1.7dfsg~beta3-1   MIT Kerberos runtime libraries - C
ii  libkrb5-3              1.7dfsg~beta3-1   MIT Kerberos runtime libraries
ii  libmagic1              5.03-1            File type determination library us
ii  libpcre3               7.8-2             Perl 5 Compatible Regular Expressi
ii  libssl0.9.8            0.9.8k-3          SSL shared libraries
ii  libxml2                2.7.3.dfsg-1      GNOME XML library
ii  mime-support           3.46-1            MIME files 'mime.types' & 'mailcap
ii  php5-common            5.2.10.dfsg.1-1   Common files for packages built fr
ii  tzdata                 2009j-1           time zone and daylight-saving time
ii  ucf                    3.0018            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3.3.dfsg-14 compression library - runtime

php5-cgi recommends no packages.

Versions of packages php5-cgi suggests:
pn  php-pear                      <none>     (no description available)

-- no debconf information

Message #10 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Michal Čihař <nijel@debian.org>

To: 535148@bugs.debian.org

Subject: Re: heap overflows after upgrade to 5.2.10

Date: Tue, 30 Jun 2009 09:06:41 +0200

[Message part 1 (text/plain, inline)]

Dne Tue, 30 Jun 2009 08:58:53 +0200
Michal Čihař <nijel@debian.org> napsal(a):

> Package: php5-cgi
> Version: 5.2.10.dfsg.1-1
> Severity: important
> 
> Just after upgrade from 5.2.9 to 5.2.10, php-cgi started to segfault and
> suhosin complains about heap overflow:
> 
> suhosin[22305]: ALERT - canary mismatch on efree() - heap overflow
> detected
> 
> Downgrading back to 5.2.9 fixes this issue.

Just to clarify: downgrading just php5-cgi + php5-common fixes the
issue, no modules had to be downgraded.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 535148@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Michal Čihař <nijel@debian.org>, 535148@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [php-maint] Bug#535148: heap overflows after upgrade to 5.2.10

Date: Tue, 30 Jun 2009 09:23:45 +0200

[Message part 1 (text/plain, inline)]

tags 535148 moreinfo
thanks

hi michal,

On Tue, Jun 30, 2009 at 08:58:53AM +0200, Michal Čihař wrote:
> Just after upgrade from 5.2.9 to 5.2.10, php-cgi started to segfault and
> suhosin complains about heap overflow:
> 
> suhosin[22305]: ALERT - canary mismatch on efree() - heap overflow
> detected

could you please provide:

* gdb backtrace identifying the crash location
* a short sample chunk of code which triggers the problem
* (ideally) valgrind output


thanks,
	sean

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 535148@bugs.debian.org (full text, mbox, reply):

From: David Sommerseth <dazo@users.sourceforge.net>

To: 535148@bugs.debian.org

Subject: heap overflows after upgrade to 5.2.10

Date: Wed, 01 Jul 2009 13:28:43 +0200

I am experiencing the same issues on a Gentoo box as well.

To reproduce:
<?php
@session_start();
?>

a similar issue comes, but not as frequently if using:

<?php
if (!(session_id()) )
        session_start();
?>

This causes a plain segfault in the logs:
[Wed Jul 01 11:24:48 2009] [notice] child pid 22838 exit signal 
Segmentation fault (11)


I configured Apache to dump core dumps ... but the backtrace didn't give 
too much:

(gdb) bt
#0  0x4e0960f7 in _zend_hash_add_or_update () from 
/usr/lib/apache2/modules/libphp5.so
#1  0x00000000 in ?? ()


Hope this helps somewhat ... I have not found this bug reported any other 
places at them moment.


kind regards,

David Sommerseth

Message #27 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <jerry@edagames.com>

To: 535148@bugs.debian.org

Subject: very similar bug

Date: Fri, 10 Jul 2009 10:32:09 +0200

i just discovered a very similar problem, but only on the
5.2.10-dfsg1.1 -> 5.2.10-dfsg1.2
transition, which i did yesterday i think.

however, in my case there maybe something different :
the segfault doesn't happen each time.
i have two php-cgi instances (fastcgi), and apparently
one instance doesn't segfault, while the other does.

i hope that makes sense :)

Message #30 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Jérémy Lal <jerry@edagames.com>

Cc: 535148@bugs.debian.org

Subject: Re: very similar bug

Date: Fri, 10 Jul 2009 10:33:29 -0500

On Friday 10 July 2009 03:32:09 Jérémy Lal wrote:
> i just discovered a very similar problem, but only on the
> 5.2.10-dfsg1.1 -> 5.2.10-dfsg1.2
> transition, which i did yesterday i think.
>
> however, in my case there maybe something different :
> the segfault doesn't happen each time.
> i have two php-cgi instances (fastcgi), and apparently
> one instance doesn't segfault, while the other does.
>

Please install php5-dbg, gdb, and attach gdb to the processes and provide a 
backtrace of the crash. I've been unable to reproduce it.

What architecture do you use? does it have multiple cores?

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #35 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <jerry@edagames.com>

To: 535148@bugs.debian.org

Subject: Re: very similar bug

Date: Fri, 10 Jul 2009 17:35:05 +0200

On 10/07/2009 17:33, Raphael Geissert wrote:
> On Friday 10 July 2009 03:32:09 Jérémy Lal wrote:
>> i just discovered a very similar problem, but only on the
>> 5.2.10-dfsg1.1 ->  5.2.10-dfsg1.2
>> transition, which i did yesterday i think.
>>
>> however, in my case there maybe something different :
>> the segfault doesn't happen each time.
>> i have two php-cgi instances (fastcgi), and apparently
>> one instance doesn't segfault, while the other does.
>>
>
> Please install php5-dbg, gdb, and attach gdb to the processes and provide a
> backtrace of the crash. I've been unable to reproduce it.
i'll do that this week-end and keep you informed
>
> What architecture do you use? does it have multiple cores?
one CoreDuo intel proc (2cores), 32 bits.
i'm using lighttpd + fcgi + php-cgi, configured to spawn two php-cgi instances, one child each.
this is a development machine...

Message #40 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Chris Chiappa <Chris.Chiappa@oracle.com>

To: 535148@bugs.debian.org

Subject: Seeing it as well

Date: Fri, 17 Jul 2009 10:32:50 -0400

I'm on a Core2Duo with 2 cores:
model name        : Intel(R) Core(TM)2 Duo CPU     E6550  @ 2.33GHz
running in amd64 mode.  I'm trying to run mediawiki under apache2.
I don't have any experience debuggin php but I'm reasonably handy with
a debugger.  Here's the backtrace, let me know what else would be useful...

#0  0x00007f7246307339 in _zend_hash_add_or_update (ht=0x2e7a220, 
    arKey=0x28f06f0 "HTTP_USER_AGENT", nKeyLength=16,
pData=0x84049bd9e, 
    nDataSize=32767, pDest=0x0, flag=1177301955)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.c:402
#1  0x00007f72462c33c3 in php_register_variable_ex (
    var_name=0x28f0700 "\337\364\277\200\bvT\16", val=0x2b99850, 
    track_vars_array=0x7f72467f7cc0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.h:341
#2  0x00007f724615170a in php_sapi_filter (arg=42927872, 
    var=0x7f724049bd9e "HTTP_USER_AGENT", val=0x0, val_len=106, 
    new_val_len=0x0)
    at /build/buildd/php5-5.2.10.dfsg.1/ext/filter/filter.c:396
#3  0x00007f72462bd162 in sapi_getenv (name=0x7f724049bd9e "HTTP_USER_AGENT", 
    name_len=12675185) at /build/buildd/php5-5.2.10.dfsg.1/main/SAPI.c:950
#4  0x00007f724049a6b4 in suhosin_generate_key ()
   from /usr/lib/php5/20060613/suhosin.so
#5  0x00007f724049ab2c in ?? () from /usr/lib/php5/20060613/suhosin.so
#6  0x00007f72461c3786 in php_session_start ()
    at /build/buildd/php5-5.2.10.dfsg.1/ext/session/session.c:481
#7  0x00007f72461c3e59 in zif_session_start (ht=42927872, 
    return_value=0x28fb640, return_value_ptr=0x0, this_ptr=0x28f0700, 
    return_value_used=8)
    at /build/buildd/php5-5.2.10.dfsg.1/ext/session/session.c:1796
#8  0x00007f7240496c9d in ?? () from /usr/lib/php5/20060613/suhosin.so
#9  0x00007f7246333c31 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7fff56591c50)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:202
#10 0x00007f724631d3b4 in execute (op_array=0x28b5df0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#11 0x00007f7240497126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#12 0x00007f724633387e in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7fff56595810)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:234
#13 0x00007f724631d3b4 in execute (op_array=0x27ed1a0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#14 0x00007f7240497126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#15 0x00007f724632240b in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x7fff56596820)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:4672
#16 0x00007f724631d3b4 in execute (op_array=0x260e828)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#17 0x00007f7240497126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#18 0x00007f724632240b in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x7fff56597bf0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:4672
#19 0x00007f724631d3b4 in execute (op_array=0x260cba0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#20 0x00007f7240497126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#21 0x00007f72462f96d8 in zend_execute_scripts (type=32767, retval=0x0, 
    file_count=1448705528) at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend.c:1215
#22 0x00007f72462b4698 in php_execute_script (primary_file=0x26d2dc8)
    at /build/buildd/php5-5.2.10.dfsg.1/main/main.c:2046
#23 0x00007f724636ed15 in php_handler (r=0x7f7243def8fa)
    at /build/buildd/php5-5.2.10.dfsg.1/sapi/apache2handler/sapi_apache2.c:651
#24 0x000000000043b623 in ap_run_handler ()
#25 0x000000000043eb4f in ap_invoke_handler ()
#26 0x000000000044bbd8 in ap_process_request ()
#27 0x0000000000448cd8 in ?? ()
#28 0x0000000000442a13 in ap_run_process_connection ()
#29 0x000000000045017d in ?? ()
#30 0x00000000004504d4 in ?? ()
#31 0x0000000000450a5f in ap_mpm_run ()
#32 0x0000000000428425 in main ()

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO chris.chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

Message #45 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Chris Chiappa <Chris.Chiappa@oracle.com>

To: 535148@bugs.debian.org

Subject: Some more info...

Date: Fri, 17 Jul 2009 12:18:19 -0400

Some other information that may or may not be useful:

This is a very new install (within a couple of days), so I may not
have upgraded from any previous php5 install before trying to run
mediawiki.  I moved a mediawiki setup (database/config files) over
from another machine and it seemed to be working until I logged into
the mediawiki, at which point all accesses crashed.

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO chris.chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

Message #50 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Chris Chiappa <Chris.Chiappa@oracle.com>

To: 535148@bugs.debian.org

Subject: Downgrade fixes it

Date: Mon, 20 Jul 2009 14:55:53 -0400

Just confirming that for me as well, downgrading to 5.2.9.dfsg.1-4
fixes the problem.  Also of note, I realized that I did not actually
have php5-cgi installed, so this bug should perhaps be redirected at
just php5 or whatnot.

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO chris.chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

Message #55 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Wilco Baan Hofman <wilco@baanhofman.nl>

To: 535148@bugs.debian.org

Subject: Crashes are suhosin related

Date: Tue, 28 Jul 2009 14:06:11 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've noticed the same problem. Also, I've experienced no more
segmentation faults after disabling the suhosin.so extension by
commenting extension=suhosin.so in
/etc/php5/apache2/conf.d/suhosin.ini and obviously no heap corruption
errors, but that's to be expected. Everything seems to work as
expected that way.

This is on a Core 2 Duo, amd64 distribution. php5 is running as
apache2 module.

Package version information:
libapache2-mod-php5    5.2.10.dfsg.1-2
apache2                2.2.11-7

My gdb backtrace is below.

Regards,

Wilco Baan Hofman

- --

#0  php_register_variable_ex (var_name=0x7f9ace1bfd9e
"HTTP_USER_AGENT", val=0xae6fd8, track_vars_array=0x1)
    at /build/buildd/php5-5.2.10.dfsg.1/main/php_variables.c:74
#1  0x00007f9ad568870a in php_sapi_filter (arg=-837026402,
var=0x7f9ace1bfd9e "HTTP_USER_AGENT", val=0x0, val_len=181,
new_val_len=0x14)
    at /build/buildd/php5-5.2.10.dfsg.1/ext/filter/filter.c:396
#2  0x00007f9ad57f4162 in sapi_getenv (name=0x7f9ace1bfd9e
"HTTP_USER_AGENT", name_len=3771512544) at
/build/buildd/php5-5.2.10.dfsg.1/main/SAPI.c:950
#3  0x00007f9ace1be6b4 in suhosin_generate_key () from
/usr/lib/php5/20060613/suhosin.so
#4  0x00007f9ace1beb2c in ?? () from /usr/lib/php5/20060613/suhosin.so
#5  0x00007f9ad56fa786 in php_session_start () at
/build/buildd/php5-5.2.10.dfsg.1/ext/session/session.c:481
#6  0x00007f9ad56fae59 in zif_session_start (ht=-837026402,
return_value=0x9f21a8, return_value_ptr=0xae6fd8,
this_ptr=0x2e3320524c432054,
    return_value_used=808660533) at
/build/buildd/php5-5.2.10.dfsg.1/ext/session/session.c:1796
#7  0x00007f9ace1bac9d in ?? () from /usr/lib/php5/20060613/suhosin.so
#8  0x00007f9ad586ac31 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffe0cccf00) at
/build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:202
#9  0x00007f9ad58543b4 in execute (op_array=0x9eaab8) at
/build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#10 0x00007f9ace1bb126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#11 0x00007f9ad5855ef4 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER
(execute_data=0x7fffe0ccd2f0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:2097
#12 0x00007f9ad58543b4 in execute (op_array=0x9e8548) at
/build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#13 0x00007f9ace1bb126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#14 0x00007f9ad5855ef4 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER
(execute_data=0x7fffe0ccdee0)
    at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:2097
#15 0x00007f9ad58543b4 in execute (op_array=0x9e73d8) at
/build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
#16 0x00007f9ace1bb126 in ?? () from /usr/lib/php5/20060613/suhosin.so
#17 0x00007f9ad58306d8 in zend_execute_scripts (type=32767,
retval=0x0, file_count=-523443992) at
/build/buildd/php5-5.2.10.dfsg.1/Zend/zend.c:1215
#18 0x00007f9ad57eb698 in php_execute_script (primary_file=0x9eaab8)
at /build/buildd/php5-5.2.10.dfsg.1/main/main.c:2046
#19 0x00007f9ad58a5d15 in php_handler (r=0x5) at
/build/buildd/php5-5.2.10.dfsg.1/sapi/apache2handler/sapi_apache2.c:651
#20 0x000000000043b623 in ap_run_handler (r=0xa89898) at
/build/buildd/apache2-2.2.11/server/config.c:159
#21 0x000000000043eb4f in ap_invoke_handler (r=0xa89898) at
/build/buildd/apache2-2.2.11/server/config.c:373
#22 0x000000000044bbd8 in ap_process_request (r=0xa89898) at
/build/buildd/apache2-2.2.11/modules/http/http_request.c:282
#23 0x0000000000448cd8 in ap_process_http_connection (c=0xa42f08) at
/build/buildd/apache2-2.2.11/modules/http/http_core.c:190
#24 0x0000000000442a13 in ap_run_process_connection (c=0xa42f08) at
/build/buildd/apache2-2.2.11/server/connection.c:43
#25 0x000000000045017d in child_main (child_num_arg=<value optimized
out>) at /build/buildd/apache2-2.2.11/server/mpm/prefork/prefork.c:680
#26 0x00000000004504d4 in make_child (s=0x678938, slot=8) at
/build/buildd/apache2-2.2.11/server/mpm/prefork/prefork.c:777
#27 0x00000000004510f6 in perform_idle_server_maintenance
(_pconf=<value optimized out>, plog=<value optimized out>, s=<value
optimized out>)
    at /build/buildd/apache2-2.2.11/server/mpm/prefork/prefork.c:912
#28 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized
out>, s=<value optimized out>)
    at /build/buildd/apache2-2.2.11/server/mpm/prefork/prefork.c:1116
#29 0x0000000000428425 in main (argc=3, argv=0x7fffe0cd0a58) at
/build/buildd/apache2-2.2.11/server/main.c:742
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpu6YwACgkQ1C6FlsCYaHWdKgCgq0fNOkuTRpRK99wZUyRx/CA0
2HYAoKPR3V04c7deZTs0hU/FQ5alF0Fu
=i6wI
-----END PGP SIGNATURE-----

Message #60 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <jerry@edagames.com>

To: 535148@bugs.debian.org

Subject: another backtrace

Date: Wed, 29 Jul 2009 10:23:24 +0200

the bug i get is related to #537788 :
i set suhosin.session.encrypt = off
and there's no more crash.


here's the bt i got :

Program received signal SIGSEGV, Segmentation fault.
0x082da4be in _zend_hash_add_or_update (ht=0x9f644b0, arKey=0x9d041b0 "FCGI_ROLE", nKeyLength=<error type>,
    pData=0xbf9be6a4, nDataSize=<error type>, pDest=0xbf9be6a0, flag=1)
    at /tmp/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.c:402
402	/tmp/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.c: Aucun fichier ou dossier de ce type.
	in /tmp/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.c
(gdb) bt
#0  0x082da4be in _zend_hash_add_or_update (ht=0x9f644b0, arKey=0x9d041b0 "FCGI_ROLE", nKeyLength=<error type>,
    pData=0xbf9be6a4, nDataSize=<error type>, pDest=0xbf9be6a0, flag=1)
    at /tmp/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.c:402
#1  0x08292394 in php_register_variable_ex (var_name=0x9d38418 "FCGI_ROLE", val=0xbf9be708, track_vars_array=0x9d349fc)
    at /tmp/buildd/php5-5.2.10.dfsg.1/Zend/zend_hash.h:341
#2  0x080faaea in php_sapi_filter (arg=4, var=0x9d38418 "FCGI_ROLE", val=0x9d38404, val_len=<error type>,
    new_val_len=0xbf9be7b4) at /tmp/buildd/php5-5.2.10.dfsg.1/ext/filter/filter.c:396
#3  0xb6c68787 in suhosin_input_filter_wrapper () from /usr/lib/php5/20060613+lfs/suhosin.so
#4  0x08348244 in cgi_php_import_environment_variables (array_ptr=0x9d01b94)
    at /tmp/buildd/php5-5.2.10.dfsg.1/sapi/cgi/cgi_main.c:618
#5  0x08291718 in php_auto_globals_create_env (name=0x8355813 "_ENV", name_len=<error type>)
    at /tmp/buildd/php5-5.2.10.dfsg.1/main/php_variables.c:820
#6  0x08293378 in php_hash_environment () at /tmp/buildd/php5-5.2.10.dfsg.1/main/php_variables.c:711
#7  0x08283ad5 in php_request_startup () at /tmp/buildd/php5-5.2.10.dfsg.1/main/main.c:1309
#8  0x083472a9 in main (argc=1, argv=0xbf9c0d24) at /tmp/buildd/php5-5.2.10.dfsg.1/sapi/cgi/cgi_main.c:1916

Message #65 received at 535148@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Wilco Baan Hofman <wilco@baanhofman.nl>, 535148@bugs.debian.org

Subject: Re: [php-maint] Bug#535148: Crashes are suhosin related

Date: Wed, 29 Jul 2009 11:38:50 +0200

[Message part 1 (text/plain, inline)]

hi wilco (and everyone else),

On Tue, Jul 28, 2009 at 02:06:11PM +0200, Wilco Baan Hofman wrote:
> I've noticed the same problem. Also, I've experienced no more
> segmentation faults after disabling the suhosin.so extension by
> commenting extension=suhosin.so in
> /etc/php5/apache2/conf.d/suhosin.ini and obviously no heap corruption
> errors, but that's to be expected. Everything seems to work as
> expected that way.

could you also try downgrading to the version in testing (5.2.9),
restart apache, and report if that fixes the problem as others have
mentioned?

i won't have time for probably a couple weeks (vacation, yay) to look
more into this.  here are some suggestions off the top of my
head about where the problem could be:

* un-announced ABI/API break in php5-dev 5.2.9 -> 5.2.10
* un-announced ABI/API break in suhosin patch 5.2.9 -> 5.2.10
* bug in latest version of suhosin patch
* bug in latest version of php5

some things that could be investigated by someone with more time:

* recompile/reinstall the unstable php5 5.2.10 packages without the
  suhosin patch, restart apache, and see if the problem goes away.
  this should determine whether the suhosin patch is playing a role
  in this.
* recompile/reinstall the php5-suhosin package on an unstable system with
  5.2.10 packages installed, restart apache, and see if the problem
  goes away.  this should determine whether there was an abi/api break
  in php5-dev

the latter should be much faster and easier to test, so you might
want to try that first.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Chris Chiappa <Chris.Chiappa@oracle.com>

To: 535148@bugs.debian.org

Subject: Working now

Date: Thu, 30 Jul 2009 09:48:54 -0400

Huh.  I upgrading back to 5.2.10 and it's working now.  Perhaps I
pulled in some other undeclared dep that was breaking things?

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO chris.chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

Message #75 received at 535148@bugs.debian.org (full text, mbox, reply):

From: Chris Chiappa <Chris.Chiappa@oracle.com>

To: 535148@bugs.debian.org

Date: Thu, 6 Aug 2009 15:25:51 -0400

I spoke too soon, it was still crashing after I reupgraded, just
without the consistency it had before:
[Thu Aug 06 11:35:22 2009] [notice] child pid 4974 exit signal
Segmentation fault (11)
[Thu Aug 06 11:35:25 2009] [notice] child pid 5968 exit signal
Segmentation fault (11)
[Thu Aug 06 11:35:27 2009] [error] [client 127.0.1.1] ALERT - canary
mismatch on efree() - heap overflow detected (attacker '127.0.1.1',
file '/usr/share/mediawiki/includes/GlobalFunctions.php', line 2681),
referer: http://redacted/redacted.cgi
[Thu Aug 06 11:35:28 2009] [notice] child pid 5972 exit signal
Segmentation fault (11)

I removed php5-suhosin and so far haven't noticed any more crashes.

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO chris.chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

Message #80 received at 535148-done@bugs.debian.org (full text, mbox, reply):

From: Michal Čihař <nijel@debian.org>

To: 535148-done@bugs.debian.org

Subject: Fixed in 5.2.11.dfsg.1-1

Date: Thu, 22 Oct 2009 17:44:43 +0200

[Message part 1 (text/plain, inline)]

Version: 5.2.11.dfsg.1-1

This problem does not appear in 5.2.11.dfsg.1-1 anymore.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.