[Bug 1407990] Re: apache2.4 mod-php5.5 random segmentation faults in zend_stack_push() and zend_hash_find()

Gerrit Venema gmoniker at gmail.com
Tue Mar 10 19:42:33 UTC 2015 

We observe regular segfaults on Ubuntu 14.04 LTS with Apache and PHP in
its default packages presenting these backtraces in a Coredump file:

#0  0x00007f9911e619ad in zend_stack_push (
    stack=stack at entry=0x7f9912627ca0 <compiler_globals+608>,
    element=element at entry=0x7f9912627c78 <compiler_globals+568>,
    size=size at entry=40) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_stack.c:42
#1  0x00007f9911e2d34e in compile_file (
    file_handle=file_handle at entry=0x7fffe74e7e00, type=2)
    at Zend/zend_language_scanner.l:586
#2  0x00007f9911e52b2a in dtrace_compile_file (file_handle=0x7fffe74e7e00,
    type=<optimized out>)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend_dtrace.c:40
#3  0x00007f9911cdbce4 in phar_compile_file (file_handle=<optimized out>,
    type=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/ext/phar/phar.c:3383
#4  0x00007f990baca1d4 in persistent_compile_file (file_handle=0x7fffe74e7e00,
    type=2) at /build/buildd/php5-5.5.9+dfsg/ext/opcache/ZendAccelerator.c:1634
#5  0x00007f990bd64f19 in ?? ()
   from /usr/lib/php5/20121212/ioncube_loader_lin_5.5.so
#6  0x00007f9911e645af in zend_execute_scripts (type=type at entry=2,
    retval=retval at entry=0x0, file_count=file_count at entry=1)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend.c:1308
#7  0x00007f9911f1452d in php_handler (r=<optimized out>)
    at /build/buildd/php5-5.5.9+dfsg/sapi/apache2handler/sapi_apache2.c:669
#8  0x00007f9918178680 in ap_run_handler (r=0x7f9912f040a0) at config.c:169
#9  0x00007f9918178bc9 in ap_invoke_handler (r=r at entry=0x7f9912f040a0)
---Type <return> to continue, or q <return> to quit---
    at config.c:439
#10 0x00007f991818e16a in ap_process_async_request (r=0x7f9912f040a0)
    at http_request.c:317
#11 0x00007f991818e444 in ap_process_request (r=r at entry=0x7f9912f040a0)
    at http_request.c:363
#12 0x00007f991818af02 in ap_process_http_sync_connection (c=0x7f991479e290)
    at http_core.c:190
#13 ap_process_http_connection (c=0x7f991479e290) at http_core.c:231
#14 0x00007f9918181cc0 in ap_run_process_connection (c=0x7f991479e290)
    at connection.c:41
#15 0x00007f99181820a8 in ap_process_connection (c=c at entry=0x7f991479e290,
    csd=<optimized out>) at connection.c:202
#16 0x00007f991333f767 in child_main (child_num_arg=child_num_arg at entry=92)
    at prefork.c:704
#17 0x00007f991333f9a6 in make_child (s=0x7f99180dfde0, slot=92)
    at prefork.c:800
#18 0x00007f991334060e in perform_idle_server_maintenance (p=<optimized out>)
    at prefork.c:902
#19 prefork_run (_pconf=<optimized out>, plog=<optimized out>,
    s=<optimized out>) at prefork.c:1090
#20 0x00007f991815f69e in ap_run_mpm (pconf=0x7f9918115028,
    plog=0x7f99180e3028, s=0x7f99180dfde0) at mpm_common.c:96
#21 0x00007f9918158e36 in main (argc=3, argv=0x7fffe74e8508) at main.c:777

PHP is coming in to the stack push function thinking that it is already
initialized (stack_max=64) while its elements pointer is null, so it
segfaults when trying to store a heap segment in its stack.

This may very well be an upstream bug in the PHP SAPI module for Apache.
In this case I think this bug report
(https://bugs.php.net/bug.php?id=68486) on PHP is highly relevant. It is
said to not be present on Apache 2.2 and is probably related to client
side pipelining of HTTP 1.1 requests.

Regards,
Gerrit

** Bug watch added: bugs.php.net/ #68486
   http://bugs.php.net/bug.php?id=68486

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1407990

Title:
  apache2.4 mod-php5.5 random segmentation faults in zend_stack_push()
  and  zend_hash_find()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1407990/+subscriptions

More information about the Ubuntu-server-bugs mailing list