[Bug 1385050] [NEW] segfault and apparent memory corruption in tsrm_virtual_cwd.c
Jeff Waugh
1385050 at bugs.launchpad.net
Fri Oct 24 05:45:33 UTC 2014
Public bug reported:
I have an utterly reproducible segfault with php5-fpm 5.5.9+dfsg-
1ubuntu4.4.
Here are the top 4 backtrace frames. It looks to these relatively naive
eyes like there's memory corruption in cwd, resolved_path, trypath, and
actual_path.
This trace was generated with realpath cache disabled, opcache disabled,
etc. I've attached a full gdb bt, and will attach a core file next.
#0 virtual_file_ex (state=state at entry=0x7fffe6661630, path=path at entry=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", verify_path=verify_path at entry=0x0, use_realpath=use_realpath at entry=2) at /build/buildd/php5-5.5.9+dfsg/TSRM/tsrm_virtual_cwd.c:1153
path_length = <optimized out>
resolved_path = <error reading variable resolved_path (Cannot access memory at address 0x7fffe66605e0)>
start = <optimized out>
ll = <error reading variable ll (Cannot access memory at address 0x7fffe66605d4)>
t = <error reading variable t (Cannot access memory at address 0x7fffe66605d8)>
ret = <optimized out>
add_slash = <optimized out>
tmp = <optimized out>
#1 0x000000000068b3a4 in tsrm_realpath (path=path at entry=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", real_path=real_path at entry=0x7fffe6662750 "") at /build/buildd/php5-5.5.9+dfsg/TSRM/tsrm_virtual_cwd.c:1954
new_state = {cwd = 0x356fed0 "", cwd_length = 0}
cwd = '\000' <repeats 40 times>, "p\334IT\000\000\000\000/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", '\000' <repeats 3351 times>...
#2 0x0000000000692e50 in php_resolve_path (filename=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", filename_length=65, path=0xb65a20 ".:/usr/share/php:/usr/share/pear") at /build/buildd/php5-5.5.9+dfsg/main/fopen_wrappers.c:503
resolved_path = '\000' <repeats 3336 times>...
trypath = "\260\375V\003\000\000\000\000A", '\000' <repeats 47 times>, "p\334IT\000\000\000\000/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", '\000' <repeats 15 times>, "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.a"...
ptr = <optimized out>
end = <optimized out>
p = <optimized out>
actual_path = 0x68b3e9 <tsrm_realpath+281> "H\211\330H\213\214$\030\020"
wrapper = <optimized out>
#3 0x000000000054c6e5 in phar_find_in_include_path (filename=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", filename_len=65, pphar=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/ext/phar/util.c:290
try_len = 13289150
path = 0xcac6be <php_execute.entry_semaphore> ""
fname = <optimized out>
arch = 0x7f77c6f5dc48 " \334y"
entry = 0xcac6ba <php_function.entry_semaphore> ""
ret = 0x0
test = <optimized out>
arch_len = 0
entry_len = 0
fname_len = <optimized out>
ret_len = <optimized out>
phar = 0xcac6bc <php_execute.return_semaphore>
#4 0x000000000079bb96 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x779e378) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:30889
file_handle = {type = 25021472, filename = 0xcc91a0 <executor_globals> "", opened_path = 0x779e1f8 "", handle = {fd = 7984485, fp = 0x79d565 <zend_do_fcall_common_helper_SPEC+1109>, stream = {handle = 0x79d565 <zend_do_fcall_common_helper_SPEC+1109>, isatty = 125428784, mmap = {len = 140152415837928, pos = 125428280, map = 0x779e430, buf = 0x775a000 "P\240u\a", old_handle = 0x775a000, old_closer = 0x779e378}, reader = 0x7f77c6f5df78, fsizer = 0x1, closer = 0x724aa9 <ZEND_JMPZ_SPEC_VAR_HANDLER+185>}}, free_filename = 120 'x'}
resolved_path = <optimized out>
opline = 0x7f77c6f5dfa8
new_op_array = 0x0
inc_filename = 0x7759fa0
tmp_inc_filename = 0x0
failure_retval = 0 '\000'
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "core-php5-fpm.16825.gdb.bz2"
https://bugs.launchpad.net/bugs/1385050/+attachment/4243071/+files/core-php5-fpm.16825.gdb.bz2
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1385050
Title:
segfault and apparent memory corruption in tsrm_virtual_cwd.c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1385050/+subscriptions
More information about the Ubuntu-server-bugs
mailing list