Debian Bug report logs - #662662
php5-memcached: Segfault or abort when getServerByKey, get called

version graph

Package: php5-memcached; Maintainer for php5-memcached is Debian PHP PECL Maintainers <pkg-php-pecl@lists.alioth.debian.org>; Source for php5-memcached is src:php-memcached.

Reported by: David Kirchner <dpk@dpk.net>

Date: Mon, 5 Mar 2012 15:18:01 UTC

Severity: important

Tags: patch, squeeze, upstream

Found in version php-memcached/1.0.2-1

Fixed in versions php-memcached/2.0.0b2-1, php-memcached/1.0.2-1+squeeze1

Done: Sergey B Kirpichev <skirpichev@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#662662; Package php5-memcached. (Mon, 05 Mar 2012 15:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kirchner <dpk@dpk.net>:
New Bug report received and forwarded. Copy sent to Sergey B Kirpichev <skirpichev@gmail.com>. (Mon, 05 Mar 2012 15:18:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: David Kirchner <dpk@dpk.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5-memcached: Segfault or abort when getServerByKey, get called
Date: Mon, 05 Mar 2012 14:20:01 +0000
Package: php5-memcached
Version: 1.0.2-1
Severity: important
Tags: upstream


Calls to getServerByKey can cause a segfault or abort when followed
by any other call that will read or write with the same key, or any
key that happens to live on the same server.

The bug is caused by a call to free the server entry at the end of
getServerByKey in php_memcached.c:

1540:        memcached_server_free(server);

And the first thing that function does is sends "quit" to the memcache
server. This has been fixed upstream btw, with a note:

https://github.com/php-memcached-dev/php-memcached/blob/master/php_memcached.c

"
	/* memcached_server_add(3) states that the server instance is cloned. */
	/* In actuality it is not, possibly a bug in libmemcached 0.40. */
	/* remove server freeing */

	/* memcached_server_free(server); */
"

I'm guessing that the client is not automatically reconnecting ('cause
it doesn't know to) and then we end up with a segfault or abort.

Would it be possible for this to be used as a patch in an update for 
squeeze's version of php-memcached-1.0.2? I believe this is a serious 
enough bug to warrant an update as it is possible a call made by one 
script can lead to an sigfault or sigabort when a later script is run.

This code triggers the segabort. The same failure occurs in Apache and
CLI modes.

<?php
$mcd = new memcached();
$mcd->addServer('127.0.0.1', '11211', 1);
$result = $mcd->set('anykey', 2);
$mcd->getServerByKey('anykey');
?>

and this triggers the sigabort:

<?php
$mcd = new memcached();
$mcd->addServer('127.0.0.1', '11211', 1);
$result = $mcd->set('anykey', 2);
$mcd->getServerByKey('anykey');
?>

These two scripts will eventually trigger a segfault when you hit one
followed by the other:

<?php
$mcd = new memcached(1);
$mcd->addServer('127.0.0.1', '11211', 1);
$mcd->getServerByKey('anykey');
print "Done\n";
?>

<?php
$mcd = new memcached(1);
$mcd->addServer('127.0.0.1', '11211', 1);
$result = $mcd->set('anykey', 2);
print "Done\n";
?>

"Eventually", in this case, means when the same Apache prefork child
happens to run the two scripts one after the other.

-- System Information:
Debian Release: 6.0.4
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39.1-x86_64-linode19 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-memcached depends on:
ii  libapache2-mod-php5 [ph 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  libmemcached5           0.40-1           A C and C++ client library to the 
ii  php5-cli [phpapi-200906 5.3.3-7+squeeze8 command-line interpreter for the p
ii  php5-common             5.3.3-7+squeeze8 Common files for packages built fr
ii  ucf                     3.0025+nmu1      Update Configuration File: preserv

php5-memcached recommends no packages.

php5-memcached suggests no packages.

-- no debconf information




Added tag(s) patch. Request was from Sergey B Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 06 Mar 2012 13:06:05 GMT) Full text and rfc822 format available.

Added tag(s) squeeze. Request was from Sergey B Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 06 Mar 2012 13:06:06 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Sergey B Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 06 Mar 2012 13:06:07 GMT) Full text and rfc822 format available.

Message sent on to David Kirchner <dpk@dpk.net>:
Bug#662662. (Tue, 06 Mar 2012 13:06:17 GMT) Full text and rfc822 format available.

Message #14 received at 662662-submitter@bugs.debian.org (full text, mbox):

From: Sergey B Kirpichev <skirpichev@gmail.com>
To: 662662-submitter@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#662662: php5-memcached: Segfault or abort when getServerByKey, get called
Date: Tue, 6 Mar 2012 16:54:40 +0400
[Message part 1 (text/plain, inline)]
tags 662662 +patch +squeeze +pending
notfound 662662 2.0.0b2-1
thanks

On Mon, Mar 05, 2012 at 02:20:01PM +0000, David Kirchner wrote:
> Would it be possible for this to be used as a patch in an update for 
> squeeze's version of php-memcached-1.0.2? I believe this is a serious 
> enough bug to warrant an update as it is possible a call made by one 
> script can lead to an sigfault or sigabort when a later script is run.

Patch seems to be safe.  Below attached deb for amd64 and other files,
needed to rebuild the package for other architecture (e.g. man
debuild).  Please, test.
[php5-memcached_1.0.2-1+squeeze1_amd64.deb (application/x-debian-package, attachment)]
[php-memcached_1.0.2-1+squeeze1_amd64.changes (text/plain, attachment)]
[php-memcached_1.0.2-1+squeeze1.debian.tar.gz (application/octet-stream, attachment)]
[php-memcached_1.0.2-1+squeeze1.dsc (text/plain, attachment)]
[php-memcached_1.0.2.orig.tar.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug Marked as fixed in versions php-memcached/2.0.0b2-1. Request was from Sergey B Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 06 Mar 2012 13:15:50 GMT) Full text and rfc822 format available.

Information stored :
Bug#662662; Package php5-memcached. (Thu, 08 Mar 2012 03:45:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kirchner <dpk@dpk.net>:
Extra info received and filed, but not forwarded. (Thu, 08 Mar 2012 03:45:10 GMT) Full text and rfc822 format available.

Message #21 received at 662662-quiet@bugs.debian.org (full text, mbox):

From: David Kirchner <dpk@dpk.net>
To: skirpichev@gmail.com, 662662-quiet@bugs.debian.org
Cc: 662662-submitter@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#662662: php5-memcached: Segfault or abort when getServerByKey, get called
Date: Wed, 7 Mar 2012 19:41:21 -0800
On Tue, Mar 6, 2012 at 4:54 AM, Sergey B Kirpichev <skirpichev@gmail.com> wrote:
> tags 662662 +patch +squeeze +pending
> notfound 662662 2.0.0b2-1
> thanks
>
> On Mon, Mar 05, 2012 at 02:20:01PM +0000, David Kirchner wrote:
>> Would it be possible for this to be used as a patch in an update for
>> squeeze's version of php-memcached-1.0.2? I believe this is a serious
>> enough bug to warrant an update as it is possible a call made by one
>> script can lead to an sigfault or sigabort when a later script is run.
>
> Patch seems to be safe.  Below attached deb for amd64 and other files,
> needed to rebuild the package for other architecture (e.g. man
> debuild).  Please, test.

I've tested this on my amd64 server and it worked just fine. No
segfaults, no aborts, and the getServerByKey returns what I expected
it to. I don't have servers for other platforms, I'm afraid, so I
can't test it there. Thanks for putting this together.

-- 
David 'dpk' Kirchner




Message sent on to David Kirchner <dpk@dpk.net>:
Bug#662662. (Thu, 08 Mar 2012 03:45:13 GMT) Full text and rfc822 format available.

Reply sent to Sergey B Kirpichev <skirpichev@gmail.com>:
You have taken responsibility. (Sat, 17 Mar 2012 09:51:04 GMT) Full text and rfc822 format available.

Notification sent to David Kirchner <dpk@dpk.net>:
Bug acknowledged by developer. (Sat, 17 Mar 2012 09:51:20 GMT) Full text and rfc822 format available.

Message #29 received at 662662-close@bugs.debian.org (full text, mbox):

From: Sergey B Kirpichev <skirpichev@gmail.com>
To: 662662-close@bugs.debian.org
Subject: Bug#662662: fixed in php-memcached 1.0.2-1+squeeze1
Date: Sat, 17 Mar 2012 09:47:11 +0000
Source: php-memcached
Source-Version: 1.0.2-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
php-memcached, which is due to be installed in the Debian FTP archive:

php-memcached_1.0.2-1+squeeze1.debian.tar.gz
  to main/p/php-memcached/php-memcached_1.0.2-1+squeeze1.debian.tar.gz
php-memcached_1.0.2-1+squeeze1.dsc
  to main/p/php-memcached/php-memcached_1.0.2-1+squeeze1.dsc
php5-memcached_1.0.2-1+squeeze1_amd64.deb
  to main/p/php-memcached/php5-memcached_1.0.2-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 662662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergey B Kirpichev <skirpichev@gmail.com> (supplier of updated php-memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Mar 2012 22:56:33 +0400
Source: php-memcached
Binary: php5-memcached
Architecture: source amd64
Version: 1.0.2-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Sergey B Kirpichev <skirpichev@gmail.com>
Description: 
 php5-memcached - memcached extension module for PHP5
Closes: 662662
Changes: 
 php-memcached (1.0.2-1+squeeze1) stable; urgency=low
 .
   * Apply patch from upstream to fix double free in getServerByKey().
     Closes: #662662.
   * New maintainer (See: #620030)
Checksums-Sha1: 
 381e378119874cfd99bdc5e0f62cf6a47822afc7 1161 php-memcached_1.0.2-1+squeeze1.dsc
 c695716c2b1963a63703f00f47269e2f0c2e2172 4719 php-memcached_1.0.2-1+squeeze1.debian.tar.gz
 fcb48bc56b420ccda6573b50b7dccb71cee27367 27624 php5-memcached_1.0.2-1+squeeze1_amd64.deb
Checksums-Sha256: 
 afff9208603f9ea672adf55f2cfd1d6212ce4c86d830f137808580b23cca2d2f 1161 php-memcached_1.0.2-1+squeeze1.dsc
 217fd317e31eb89fdeea76b2de16e51f772ab02995ccc1c8ea1a464b7d261e3e 4719 php-memcached_1.0.2-1+squeeze1.debian.tar.gz
 ec4237b340b6e746e26ec37c575f04e0590465e72b00060ff9ce666283430275 27624 php5-memcached_1.0.2-1+squeeze1_amd64.deb
Files: 
 f41acbfcba0f130908190c08a66d606a 1161 php optional php-memcached_1.0.2-1+squeeze1.dsc
 f923e61427ffcde21fc0301ba51d5052 4719 php optional php-memcached_1.0.2-1+squeeze1.debian.tar.gz
 daae8f36eb8195e39946e8fdd5d660a5 27624 php optional php5-memcached_1.0.2-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9jz/gACgkQFViURZnoHaDIqQCbBIQzF9SDtfv+xKo/jxm9QJCw
WlYAnRcWktQWAQcKQPs9VAV9X77ert3q
=wjD9
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Jun 2012 07:50:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:02:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.