Confirmed infinite loop/wedging bug in PHP on i386
Jeremy Chadwick
freebsd at jdc.parodius.com
Tue Jan 4 11:10:21 UTC 2011
There's some discussion in the "web world" about a known problem with
PHP on 32-bit x86 architectures:
http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/
http://news.ycombinator.com/item?id=2066084
I've confirmed FreeBSD is affected, with PHP built from ports. The
issue does not affect amd64. I don't have other architectures to test
with, but I imagine only x86 is affected.
Testing/reproducing it is simple via CLI:
php -r '$d = 2.2250738585072011e-308;'
The interpreter will immediately begin chewing up 100% CPU. FreeBSD
version does not appear to matter.
This issue would affect CLI, CGI, and Apache module versions, and
depending on one's code, would be exploitable via $_GET and $_POST
variables or similar. That's one thing that makes this incredibly
dangerous (classifiable as a DoS). Server administrators should be
very concerned; ktrace/truss/etc. will not show anything going on when
this happens, only that the process is taking up 100% CPU.
For an explanation that makes a bit of sense, see the 2nd URL above, and
search for "IA-32". I imagine optimisation levels (-O vs. -O0 vs. -O2)
can play a role here as well.
The workaround seems to be adding -ffloat-store to CFLAGS during
compile-time on 32-bit architectures. I haven't personally tested this,
but the explanation seems reasonable.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-apache
mailing list