[Bug 503396] [NEW] canary mismatch on efree()

Hal hal at burgiss.net
Tue Jan 5 14:57:33 GMT 2010


Public bug reported:

Binary package hint: php5

After spending some time researching this, I realize the root cause may
not be in php itself (but might), but not knowing the root cause, I am
reporting it here.

Environment: Ubuntu 8.04, PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch
0.9.6.2 , suhosin, xcache, xdebug, mysql, gd, curl, ffmpeg, cli. The
server runs several vhosted sites. The problem occurs consistently on
one line of one site only. The site in question runs Drupal, and the
error is triggered by the Drupal webforms module (at the same line every
time) upon a form submission.

Symptoms: After several days (3 to 14 days), the following error is
reported:

Jan  4 22:07:14 Garth suhosin[25113]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.120', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan  4 22:07:15 Garth suhosin[25116]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.120', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan  4 22:11:47 Garth suhosin[25119]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '68.42.206.239', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan  4 22:11:47 Garth suhosin[25141]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '68.42.206.239', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan  4 22:21:57 Garth suhosin[25154]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.49', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)
Jan  4 22:21:58 Garth suhosin[25139]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '67.141.28.49', file '/raid/clients/midway.edu/htdocs/modules/webform/webform.module', line 2201)

etc, etc.

At always the exact same line number. At this point, anybody submitting
any form on the site in question will trigger the error. Forms are an
important aspect of the site, and this is breaking that functionality as
none of the forms work as expected. Restarting Apache temporarily
solves/works around the problem.

Line 2201, that triggers the error:   return $strict ?
filter_xss($string) : $string;

The filter_xss() Drupal function that is referenced:

function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
  // site scripting issues on Internet Explorer 6.
  if (!drupal_validate_utf8($string)) {
    return '';
  }
  // Store the input format
  _filter_xss_split($allowed_tags, TRUE);
  // Remove NUL characters (ignored by some browsers)
  $string = str_replace(chr(0), '', $string);
  // Remove Netscape 4 JS entities
  $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);

  // Defuse all HTML entities
  $string = str_replace('&', '&', $string);
  // Change back only well-formed entities in our whitelist
  // Named entities
  $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
  // Decimal numeric entities
  $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
  // Hexadecimal numeric entities
  $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);

  return preg_replace_callback('%
    (
    <(?=[^a-zA-Z!/])  # a lone <
    |                 # or
    <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
    |                 # or
    >                 # just a >
    )%x', '_filter_xss_split', $string);
}

This same site was moved from another Ubuntu 8.04 server with a very
similar environment, and in almost 1 year, this error never occurred
there.

# apt-cache policy php5
php5:
  Installed: 5.2.4-2ubuntu5.9
  Candidate: 5.2.4-2ubuntu5.9
  Version table:
 *** 5.2.4-2ubuntu5.9 0
        500 http://us.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status
     5.2.4-2ubuntu5 0
        500 http://us.archive.ubuntu.com hardy/main Packages

# php -v
PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch 0.9.6.2 (cli) (built: Nov 26 2009 14:00:44)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
    with Xdebug v2.0.2, Copyright (c) 2002-2007, by Derick Rethans
    with Suhosin v0.9.22, Copyright (c) 2007, by SektionEins GmbH

# lsb_release -rd
Description:    Ubuntu 8.04.3 LTS
Release:        8.04

** Affects: php5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
canary mismatch on efree() 
https://bugs.launchpad.net/bugs/503396
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list