search

sektioneins / suhosin

SUHOSIN [수호신] for PHP 5.x - The PHP security extension.
https://www.suhosin.org
Other
469 stars 71 forks source link

Segmentation fault with enabled suhosin #114

Open milo opened 7 years ago

milo commented 7 years ago

Hi,

I'm getting segfault with suhosin enabled. When disabled, everything works fine. Environment and steps to reproduce it:

# uname -a
Linux jessie 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64 GNU/Linux

# dpkg -l | grep php
ii  dh-php5                        0.2                         all  
ii  libapache2-mod-php5            5.6.29+dfsg-0+deb8u1        amd64
ii  php-pear                       5.6.29+dfsg-0+deb8u1        all  
ii  php5-cli                       5.6.29+dfsg-0+deb8u1        amd64
ii  php5-common                    5.6.29+dfsg-0+deb8u1        amd64
ii  php5-dev                       5.6.29+dfsg-0+deb8u1        amd64
ii  php5-fpm                       5.6.29+dfsg-0+deb8u1        amd64
ii  php5-json                      1.3.6-1                     amd64
ii  php5-mysqlnd                   5.6.29+dfsg-0+deb8u1        amd64
ii  php5-readline                  5.6.29+dfsg-0+deb8u1        amd64
ii  php5-sqlite                    5.6.29+dfsg-0+deb8u1        amd64
ii  php5-suhosin-extension         0.9.38-1                    amd64
ii  pkg-php-tools                  1.28                        all  

# php -v
PHP 5.6.29-0+deb8u1 (cli) (built: Dec 13 2016 16:02:08)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH

# php -m
# suhosin module is from  "deb http://repo.suhosin.org/ debian-jessie main"
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
date
dba
dom
ereg
exif
fileinfo
filter
ftp
gettext
hash
iconv
json
libxml
mbstring
mhash
mysql
mysqli
mysqlnd
ncurses
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
Reflection
session
shmop

Following is the setup of Nette Sanbox application:

# Setup by Composer (if you prefer prepared zipped application, let me know)
cd /tmp
composer create-project nette/sandbox sandbox v2.4.3

Segfault can be reproduced from CLI

cd /tmp/sandbox/www/
php index.php
Segmentation fault

Or if you wish reproduce it from Apache2, setup proper permissions:

cd /tmp/sandbox
chown www-data:www-data log temp
chmod 775 log temp
cd /var/www/
ln -s /tmp/sandbox/www sandbox
# go to http://localhost/sandbox

# in log
[Mon Feb 06 17:42:59.378335 2017] [core:notice] [pid 14486] AH00052: child pid 14563 exit signal Segmentation fault (11)
[Mon Feb 06 17:42:59.378341 2017] [core:notice] [pid 14486] AH00052: child pid 14564 exit signal Segmentation fault (11)
[Mon Feb 06 17:42:59.378346 2017] [core:notice] [pid 14486] AH00052: child pid 14565 exit signal Segmentation fault (11)
[Mon Feb 06 17:42:59.378352 2017] [core:notice] [pid 14486] AH00052: child pid 14566 exit signal Segmentation fault (11)
[Mon Feb 06 17:43:00.380444 2017] [core:notice] [pid 14486] AH00052: child pid 14560 exit signal Segmentation fault (11)

If you don't want to prepare setup, please, let me, how can I collect debug information for you.

Btw. I have to disable suhosin module for composer to run.

milo commented 7 years ago

I tried to isolate it and:

1) there is a generated warning
2) translated to exception
3) which is thrown inside a `__toString()` method
4) and it cause the segfault on the given stack

Isolated source of warning is:

$func = 'preg_replace';
$args = [
  0 => '#a#',
  1 => 'b',
  2 => 'aaa',
];

$func(...$args);

# PHP Warning:  preg_replace() expects at least 3 parameters, 0 given in /var/www/html/sandbox/www/test.php on line 11

In the sendbox setup a posted above, the warning is thrown on this line.