Debian Bug report logs - #542514
libapache2-mod-php5 with segmentation fault and efree heap overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dirk Howard <dhoward@idksoftware.com>

To: submit@bugs.debian.org

Subject: libapache2-mod-php5 with segmentation fault and efree heap overflow

Date: Wed, 19 Aug 2009 18:22:22 -0600

Package: libapache2-mod-php5
Version: 5.2.10.dfsg.1-2

I'm using Debian squeeze/sid with Apache2, PHP5 and Postgresql 8.

When I upgraded to apache2-2.2.12 I started to get errors in the log 
file like this:

[Mon Aug 17 15:27:07 2009] [notice] Apache/2.2.12 (Debian) 
mod_auth_pgsql/2.0.3 PHP/5.2.10-2 with Suhosin-Patch mod_ssl/2.2.12 
OpenSSL/0.9.8k configured -- resuming normal operations
[Mon Aug 17 15:27:27 2009] [notice] child pid 27492 exit signal 
Segmentation fault (11)
[Mon Aug 17 15:27:59 2009] [error] [client xx.xx.xx.xx] ALERT - canary 
mismatch on efree() - heap overflow detected (attacker 'xx.xx.xx.xx', 
file '/home/xxx\

The server seemed to have problems with connections being dropped before 
data was transfered.  This caused blank or incomplete pages for the clients.

Since this is a production system I back-rev'ed to a previous version.  
The last package that was reverted to the previous version as the 
libapache2-mod-php5 package.  Once this was restored to the 
5.2.9.dfsg.1-4 version, the errors stopped.


System that works is:
linux-image-2.6.30-1-686           2.6.30-5
apache2                           2.2.11-6
apache2-mpm-prefork               2.2.11-6
apache2-utils                     2.2.11-6
apache2.2-bin                     2.2.11-6
apache2.2-common                  2.2.11-6
libapache2-mod-auth-pgsql         2.0.3-5
libapache2-mod-php5               5.2.9.dfsg.1-4
php5                              5.2.9.dfsg.1-4
php5-adodb                        5.04-4
php5-cli                          5.2.9.dfsg.1-4
php5-common                       5.2.9.dfsg.1-4
php5-curl                         5.2.9.dfsg.1-4
php5-dev                          5.2.9.dfsg.1-4
php5-gd                           5.2.9.dfsg.1-4
php5-imagick                      2.1.1RC1-1+b1
php5-mcrypt                       5.2.9.dfsg.1-4
php5-mysql                        5.2.9.dfsg.1-4
php5-pgsql                        5.2.9.dfsg.1-4
php5-recode                       5.2.9.dfsg.1-4
php5-suhosin                      0.9.27-1
php5-xmlrpc                       5.2.9.dfsg.1-4


Dirk

Message #10 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Jiří Bendl <bendl@pjcomp.cz>

To: 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap overflow

Date: Thu, 20 Aug 2009 11:02:00 +0200

Hi, it doing the same in version
Package: apache2
State: installed
Automatically installed: yes
Version: 2.2.12-1
Priority: optional
Section: httpd

Dirk Howard napsal(a):
> Package: libapache2-mod-php5
> Version: 5.2.10.dfsg.1-2
>
> I'm using Debian squeeze/sid with Apache2, PHP5 and Postgresql 8.
>
> When I upgraded to apache2-2.2.12 I started to get errors in the log 
> file like this:
>
> [Mon Aug 17 15:27:07 2009] [notice] Apache/2.2.12 (Debian) 
> mod_auth_pgsql/2.0.3 PHP/5.2.10-2 with Suhosin-Patch mod_ssl/2.2.12 
> OpenSSL/0.9.8k configured -- resuming normal operations
> [Mon Aug 17 15:27:27 2009] [notice] child pid 27492 exit signal 
> Segmentation fault (11)
> [Mon Aug 17 15:27:59 2009] [error] [client xx.xx.xx.xx] ALERT - canary 
> mismatch on efree() - heap overflow detected (attacker 'xx.xx.xx.xx', 
> file '/home/xxx\
>
> The server seemed to have problems with connections being dropped 
> before data was transfered.  This caused blank or incomplete pages for 
> the clients.
>
> Since this is a production system I back-rev'ed to a previous 
> version.  The last package that was reverted to the previous version 
> as the libapache2-mod-php5 package.  Once this was restored to the 
> 5.2.9.dfsg.1-4 version, the errors stopped.
>
>
> System that works is:
> linux-image-2.6.30-1-686           2.6.30-5
> apache2                           2.2.11-6
> apache2-mpm-prefork               2.2.11-6
> apache2-utils                     2.2.11-6
> apache2.2-bin                     2.2.11-6
> apache2.2-common                  2.2.11-6
> libapache2-mod-auth-pgsql         2.0.3-5
> libapache2-mod-php5               5.2.9.dfsg.1-4
> php5                              5.2.9.dfsg.1-4
> php5-adodb                        5.04-4
> php5-cli                          5.2.9.dfsg.1-4
> php5-common                       5.2.9.dfsg.1-4
> php5-curl                         5.2.9.dfsg.1-4
> php5-dev                          5.2.9.dfsg.1-4
> php5-gd                           5.2.9.dfsg.1-4
> php5-imagick                      2.1.1RC1-1+b1
> php5-mcrypt                       5.2.9.dfsg.1-4
> php5-mysql                        5.2.9.dfsg.1-4
> php5-pgsql                        5.2.9.dfsg.1-4
> php5-recode                       5.2.9.dfsg.1-4
> php5-suhosin                      0.9.27-1
> php5-xmlrpc                       5.2.9.dfsg.1-4
>
>
> Dirk
>
>
>

Message #15 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Bernat Arlandis i Mañó <berarma@ya.com>

To: 542514@bugs.debian.org

Subject: Same bug here

Date: Thu, 20 Aug 2009 13:47:02 +0200

Confirming this bug on Debian Testing with Apache 2.2.12-1 and same PHP 
version. I just had to downgrade PHP to make it work again.

This bug is important, it breaks lamp applications having to resort to 
downgrading all PHP packages.

-- 
Bernat Arlandis i Mañó

Message #20 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: 542514@bugs.debian.org

Cc: Debian BTS Control <control@bugs.debian.org>

Subject: Re: libapache2-mod-php5 with segmentation fault and efree heap overflow

Date: Fri, 21 Aug 2009 11:19:01 +0200

[Message part 1 (text/plain, inline)]

severity 542514 grave
thanks


Coin,

I con also confirm this bug after an upgrade from 5.2.9.dfsg.1-4 to  
5.2.10.dfsg.1-2, but with apache2 2.2.11-6 (i downgraded apache2  
because of #541607).

With this bug, all PHP webapps are segfaulting very often, which  
renders the service quite useless and then the package almost  
unusuable, thus the severity increase. Such a segfault may also be  
exploitable and is a potential security risk.

Regards.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: 542514@bugs.debian.org

Cc: Debian BTS Control <control@bugs.debian.org>

Subject: Re: libapache2-mod-php5 with segmentation fault and efree heap overflow

Date: Fri, 21 Aug 2009 11:19:17 +0200

[Message part 1 (text/plain, inline)]

severity 542514 grave
thanks


Coin,

I con also confirm this bug after an upgrade from 5.2.9.dfsg.1-4 to  
5.2.10.dfsg.1-2, but with apache2 2.2.11-6 (i downgraded apache2  
because of #541607).

With this bug, all PHP webapps are segfaulting very often, which  
renders the service quite useless and then the package almost  
unusuable, thus the severity increase. Such a segfault may also be  
exploitable and is a potential security risk.

Regards.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Anthony Mutiso <amutiso@limuru.com>

To: 542514@bugs.debian.org

Subject: 5.2.9.dfsg.1-4

Date: Tue, 25 Aug 2009 17:11:38 -0600

How do I get 5.2.9.dfsg.1-4 installed while waiting on resolution of
this bug?

-- 
Anthony Mutiso, amutiso@limuru.com, www.limuru.com, 
h: (403) 229-0429, w: (403) 270-3190, m: (403) 703-3190
2040 Broadview Road NW, Calgary, Alberta T2N 3H8

Message #37 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: 542514@bugs.debian.org

Subject: Re: libapache2-mod-php5 with segmentation fault and efree heap

Date: Wed, 26 Aug 2009 11:04:41 +0200

[Message part 1 (text/plain, inline)]

Coin,

With the patch in #542906, i managed to make a package without the  
suhosin patch, and the problem still persist, so i guess this is a bug  
in 5.2.10 and not in the suhosin check as i first thought.

Seems 5.2.9.dfsg.1-4 is neither in the archive anymore, nor in  
snapshot.debian.net, so it is quite inconvenient.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #42 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Marc Dequènes (Duck) <duck@duckcorp.org>, 542514@bugs.debian.org

Subject: Re: [php-maint] Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Wed, 26 Aug 2009 11:34:20 +0200

That's an evil plan how to make more people test php 5.3.0 :)

Well no, in fact, updated packages are in preparation, snippet from other mail:

On Wed, Aug 26, 2009 at 02:41, Raphael Geissert<geissert@debian.org> wrote:
>> > * The code is far away from being as "stable" as 5.2.x
>>
>> "stable" as in #542514? :) The idea of uploading 5.3 to unstable came
>> up with recent load of bug reports filled on 5.2.10.
>
> This seems to be caused by a large merge from the 5.3 branch by upstream,
> which I plan to revert on the next upload (testing being one of the reasons
> why it's taking me so long to upload).

But anyway it would be great if you can try 5.3.0-3 from experimental.
It needs as much testing as it could get.

Ondrej.

On Wed, Aug 26, 2009 at 11:04, Marc Dequènes (Duck)<duck@duckcorp.org> wrote:
> Coin,
>
> With the patch in #542906, i managed to make a package without the suhosin
> patch, and the problem still persist, so i guess this is a bug in 5.2.10 and
> not in the suhosin check as i first thought.
>
> Seems 5.2.9.dfsg.1-4 is neither in the archive anymore, nor in
> snapshot.debian.net, so it is quite inconvenient.
>
> --
> Marc Dequènes (Duck)
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #47 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Wed, 26 Aug 2009 23:44:33 +0200

[Message part 1 (text/plain, inline)]

Coin,

Quoting Ondřej Surý <ondrej@debian.org>:

> That's an evil plan how to make more people test php 5.3.0 :)
 :-)

> But anyway it would be great if you can try 5.3.0-3 from experimental.
> It needs as much testing as it could get.

My machine is running testing, and i just installed your newly  
uploaded 5.3.0-3.

I don't get any suhosin message, but PHP is still segfaulting a lot.  
This time, the general apache log (and not the one for the vhost) gives:
[Wed Aug 26 20:35:47 2009] [notice] child pid 18948 exit signal  
Segmentation fault (11)
[Wed Aug 26 20:38:07 2009] [notice] child pid 18947 exit signal  
Segmentation fault (11)
[Wed Aug 26 20:38:07 2009] [notice] child pid 18991 exit signal  
Segmentation fault (11)

I got this with GDB:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f000b87b740 (LWP 9610)]
0x00007f000535b1d8 in _zend_mm_free_canary_int (heap=0x2721480,  
p=0x1e0) at /tmp/buildd/php5-5.3.0/Zend/zend_alloc_canary.c:2029
2029	/tmp/buildd/php5-5.3.0/Zend/zend_alloc_canary.c: No such file or  
directory.
	in /tmp/buildd/php5-5.3.0/Zend/zend_alloc_canary.c
(gdb) bt
#0  0x00007f000535b1d8 in _zend_mm_free_canary_int (heap=0x2721480,  
p=0x1e0) at /tmp/buildd/php5-5.3.0/Zend/zend_alloc_canary.c:2029
#1  0x00007efffd9ded61 in _php_pgsql_notice_ptr_dtor (ptr=0x2721480)  
at /tmp/buildd/php5-5.3.0/ext/pgsql/pgsql.c:835
#2  0x00007f0005348468 in zend_hash_clean (ht=0x7efffdbf45c8) at  
/tmp/buildd/php5-5.3.0/Zend/zend_hash.c:745
#3  0x00007efffd9e6254 in zm_deactivate_pgsql (type=41030784,  
module_number=480) at /tmp/buildd/php5-5.3.0/ext/pgsql/pgsql.c:1034
#4  0x00007f000533d7dc in module_registry_cleanup (module=0x2721480)  
at /tmp/buildd/php5-5.3.0/Zend/zend_API.c:2150
#5  0x00007f0005347ff4 in zend_hash_reverse_apply (ht=0x7f0005a4ea00,  
apply_func=0x7f000533d7c0 <module_registry_cleanup>) at  
/tmp/buildd/php5-5.3.0/Zend/zend_hash.c:949
#6  0x00007f000533c24d in zend_deactivate_modules () at  
/tmp/buildd/php5-5.3.0/Zend/zend.c:938
#7  0x00007f00052e7b25 in php_request_shutdown (dummy=0x2721480) at  
/tmp/buildd/php5-5.3.0/main/main.c:1553
#8  0x00007f00053c8123 in php_handler (r=0x1) at  
/tmp/buildd/php5-5.3.0/sapi/apache2handler/sapi_apache2.c:505
#9  0x000000000043b8d3 in ap_run_handler ()
#10 0x000000000043ee9f in ap_invoke_handler ()
#11 0x000000000044c11e in ap_process_request ()
#12 0x0000000000449158 in ?? ()
#13 0x0000000000442dd3 in ap_run_process_connection ()
#14 0x0000000000450720 in ?? ()
#15 0x0000000000450a74 in ?? ()
#16 0x00000000004516b6 in ap_mpm_run ()
#17 0x0000000000428425 in main ()

Regards.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #52 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Ari Heitner <ari@ncsy.ca>

To: 542514@bugs.debian.org

Subject: Downgrade path

Date: Tue, 1 Sep 2009 13:19:22 -0400

[Message part 1 (text/plain, inline)]

People (myself included) were looking for 5.2.9 packages, which are no
longer in the pool.

Just tried 5.2.6 which is in the pool, appears to be working nicely.

-- 
Ari Heitner
Director of Technology
www.NCSY.ca - www.TorahHigh.ca
w: 905.761.6279x23 m: 647.202.1998

[Message part 2 (text/html, inline)]

Message #57 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: "Marc Dequènes (Duck)" <duck@duckcorp.org>, 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Sat, 5 Sep 2009 09:09:58 +0200

Hi,

On Wednesday 26 August 2009, Marc Dequènes (Duck) wrote:
> Quoting Ondřej Surý <ondrej@debian.org>:
> > That's an evil plan how to make more people test php 5.3.0 :)
> >
>   :-)
> >
> > But anyway it would be great if you can try 5.3.0-3 from
> > experimental. It needs as much testing as it could get.
>
> My machine is running testing, and i just installed your newly
> uploaded 5.3.0-3.
>
> I don't get any suhosin message, but PHP is still segfaulting a
> lot. This time, the general apache log (and not the one for the
> vhost) gives: [Wed Aug 26 20:35:47 2009] [notice] child pid 18948
> exit signal Segmentation fault (11)
> [Wed Aug 26 20:38:07 2009] [notice] child pid 18947 exit signal
> Segmentation fault (11)
> [Wed Aug 26 20:38:07 2009] [notice] child pid 18991 exit signal
> Segmentation fault (11)

apache2 2.2.13-1 fixes a php related segfault, too (bug #542623). If 
you want to debug/test the php bug, I would recommend that you use 
2.2.13 to be sure that you don't hit the apache bug.

Cheers,
Stefan

Message #62 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: Stefan Fritsch <sf@sfritsch.de>

Cc: 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Sat, 05 Sep 2009 09:53:00 +0200

[Message part 1 (text/plain, inline)]

Coin,

Quoting Stefan Fritsch <sf@sfritsch.de>:

> apache2 2.2.13-1 fixes a php related segfault, too (bug #542623). If
> you want to debug/test the php bug, I would recommend that you use
> 2.2.13 to be sure that you don't hit the apache bug.

I'd like to help more, but i can't upgrade apache2 because of #541607.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #67 received at 542514@bugs.debian.org (full text, mbox, reply):

From: "Marc Dequènes (Duck)" <duck@duckcorp.org>

To: Stefan Fritsch <sf@sfritsch.de>

Cc: 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Tue, 15 Sep 2009 22:36:38 +0200

[Message part 1 (text/plain, inline)]

Coin,

Quoting Stefan Fritsch <sf@sfritsch.de>:

> apache2 2.2.13-1 fixes a php related segfault, too (bug #542623). If
> you want to debug/test the php bug, I would recommend that you use
> 2.2.13 to be sure that you don't hit the apache bug.

Tested php5 5.2.10.dfsg.1-2.2 with apache2 2.2.13-1 still segfault.  
Reverting back to 5.2.6.dfsg.1-1+lenny3. solved the problem.

Regards.

-- 
Marc Dequènes (Duck)

[Message part 2 (application/pgp-signature, inline)]

Message #70 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 543525-submitter@bugs.debian.org, 542514-submitter@bugs.debian.org, Bernat Arlandis i Mañó <berarma@ya.com>, "Marc Dequènes (Duck)" <duck@duckcorp.org>

Cc: 543525@bugs.debian.org, 542514@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Sat, 3 Oct 2009 14:52:39 -0500

Hi everyone,

Could you please test the 5.2.11 packages and check whether it keeps 
segfaulting or not?

Thanks in advance.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #78 received at 542514@bugs.debian.org (full text, mbox, reply):

From: Bernat Arlandis i Mañó <berarma@ya.com>

To: 543525@bugs.debian.org, 542514@bugs.debian.org

Cc: 543525-submitter@bugs.debian.org, 542514-submitter@bugs.debian.org, "Marc Dequènes (Duck)" <duck@duckcorp.org>

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Sun, 04 Oct 2009 12:43:05 +0200

Raphael Geissert escrigué:
> Hi everyone,
>
> Could you please test the 5.2.11 packages and check whether it keeps 
> segfaulting or not?
>
> Thanks in advance.
>
> Cheers,
>   
It seems like it doesn't segfault anymore, no problems so far. Tested 
with Apache2 2.2.13-2 and PHP 5.2.11.dfsg.1-1

Thanks.
Best regards.

-- 
Bernat Arlandis i Mañó

Message #86 received at 542514-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 542514-done@bugs.debian.org

Subject: Re: Bug#542514: libapache2-mod-php5 with segmentation fault and efree heap

Date: Sat, 21 Nov 2009 11:47:08 -0600

Source: php5
Source-Version: 5.2.11.dfsg.1-1

> It seems like it doesn't segfault anymore, no problems so far. Tested
> with Apache2 2.2.13-2 and PHP 5.2.11.dfsg.1-1

Closing it now, thanks (forgot to close it together with 543525).

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Send a report that this bug log contains spam.