PHP 7.2: SIGSEGV in OpenSSL

Marcel Bonnet marcelbonnet at gmail.com
Tue Apr 23 15:48:01 UTC 2019 

Hi.
Did you find a solution? Please let me know.

A simple command, like below, is enought to cause a segmentation fault. but
it depends on which extensions are enabled (php73-ldap or php73-curl ;
probably any using openssl)

$  php -r "phpinfo();"

$  uname -a
FreeBSD machine.STUDIO 12.0-STABLE FreeBSD 12.0-STABLE #2 r344331M: Fri
Mar  8 08:36:23 -03 2019
marcelbonnet at machine.STUDIO:/usr/obj/usr/src/amd64.amd64/sys/MACHINE-12
amd64

$  pkg iinfo php73
php73-7.3.4
php73-composer-1.8.4
php73-ctype-7.3.4
php73-curl-7.3.4
php73-filter-7.3.4
php73-hash-7.3.4
php73-intl-7.3.4
php73-json-7.3.4
php73-mbstring-7.3.4
php73-opcache-7.3.4
php73-openssl-7.3.4
php73-phar-7.3.4

$  gdb /usr/local/bin/php
php.core

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.

Type "show copying" to see the
conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for
details.

This GDB was configured as
"amd64-marcel-freebsd"...

Core was generated by `php -r
phpinfo();'.

Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libelf.so.2...Reading symbols from
/usr/lib/debug//lib/libelf.so.2.debug...done.
done.

Loaded symbols for
/lib/libelf.so.2
Reading symbols from /lib/libcrypt.so.5...Reading symbols from
/usr/lib/debug//lib/libcrypt.so.5.debug...done.
done.

Loaded symbols for
/lib/libcrypt.so.5
Reading symbols from /usr/local/lib/libargon2.so.0...done.
Loaded symbols for /usr/local/lib/libargon2.so.0
Reading symbols from /lib/libm.so.5...Reading symbols from
/usr/lib/debug//lib/libm.so.5.debug...done.

done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libthr.so.3...Reading symbols from
/usr/lib/debug//lib/libthr.so.3.debug...done.

done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from
/usr/local/lib/libxml2.so.2...done.

Loaded symbols for /usr/local/lib/libxml2.so.2
Reading symbols from /lib/libz.so.6...Reading symbols from
/usr/lib/debug//lib/libz.so.6.debug...done.
done.

Loaded symbols for /lib/libz.so.6
Reading symbols from /usr/lib/liblzma.so.5...Reading symbols from
/usr/lib/debug//usr/lib/liblzma.so.5.debug...done.
done.

Loaded symbols for /usr/lib/liblzma.so.5
Reading symbols from /usr/local/lib/libpcre2-8.so.0...done.
Loaded symbols for /usr/local/lib/libpcre2-8.so.0
Reading symbols from /lib/libc.so.7...BFD: /lib/libc.so.7: invalid
relocation type 37
BFD: BFD 2.17.50 [FreeBSD] 2007-07-03 assertion fail
/usr/src/gnu/usr.bin/binutils/libbfd/../../../../contrib/binutils/bfd/elf64-x86-64.c:276
Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/php/20180731-debug/opcache.so...done.
Loaded symbols for /usr/local/lib/php/20180731-debug/opcache.so
Reading symbols from /lib/libcrypto.so.111...Reading symbols from
/usr/lib/debug//lib/libcrypto.so.111.debug...done.
done.
Loaded symbols for /lib/libcrypto.so.111
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from
/usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  openssl_lh_strcasehash (c=0x802b618a2 <Address 0x802b618a2 out of
bounds>) at /usr/src/crypto/openssl/crypto/lhash/lhash.c:361
361         if (c == NULL || *c == '\0')
[New Thread 800f63000 (LWP 100460/<unknown>)]
(gdb) bt
#0  openssl_lh_strcasehash (c=0x802b618a2 <Address 0x802b618a2 out of
bounds>) at /usr/src/crypto/openssl/crypto/lhash/lhash.c:361
#1  0x0000000801c811fd in obj_name_hash (a=0x7fffffffdad0) at
/usr/src/crypto/openssl/crypto/objects/o_names.c:166
#2  0x0000000801d37036 in OPENSSL_LH_delete (lh=0x800f87fc0,
data=0x7fffffffdad0) at /usr/src/crypto/openssl/crypto/lhash/lhash.c:302
#3  0x0000000801c80e78 in OBJ_NAME_remove (name=0x802b618a2 <Address
0x802b618a2 out of bounds>, type=1) at obj_lcl.h:12
#4  0x0000000801d3731a in OPENSSL_LH_doall (lh=0x800f87fc0,
func=0x801c81170 <names_lh_free_doall>)
    at /usr/src/crypto/openssl/crypto/lhash/lhash.c:198
#5  0x0000000801c81108 in OBJ_NAME_cleanup (type=1) at obj_lcl.h:12
#6  0x0000000801c8e468 in evp_cleanup_int () at
/usr/src/crypto/openssl/crypto/evp/names.c:83
#7  0x0000000801d6915d in OPENSSL_cleanup () at
/usr/src/crypto/openssl/crypto/init.c:567
#8  0x0000000800ccb205 in __cxa_finalize (dso=0x0) at
/usr/src/lib/libc/stdlib/atexit.c:239
#9  0x0000000800c5b781 in exit (status=0) at
/usr/src/lib/libc/stdlib/exit.c:74
#10 0x00000000007a9560 in main (argc=3, argv=0x7fffffffde08) at
php_cli.c:1427
Current language:  auto; currently minimal


On Mon, 21 Jan 2019 at 17:00, Stefan Bethke <stb at lassitu.de> wrote:

> I'm seeing a lot of coredumps with a stack trace similar to this, on a
> 12-stable machine:
>
> # gdb /usr/local/sbin/httpd /httpd.core
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-marcel-freebsd"...
> Core was generated by `/usr/local/sbin/httpd -DNOHTTPACCEPT'.
> Program terminated with signal 11, Segmentation fault.
> ...
> (gdb) bt
> #0  openssl_lh_strcasehash (c=0x803466cf2 <Address 0x803466cf2 out of
> bounds>)
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/lhash/lhash.c:361
> #1  0x000000080138564d in obj_name_hash (a=0x7fffffffe9d0)
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/objects/o_names.c:166
> #2  0x000000080143be77 in OPENSSL_LH_delete (lh=0x800a27240,
>     data=0x7fffffffe9d0)
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/lhash/lhash.c:302
> #3  0x00000008013852c8 in OBJ_NAME_remove (
>     name=0x803466cf2 <Address 0x803466cf2 out of bounds>, type=1)
>     at obj_lcl.h:12
> #4  0x000000080143c15a in OPENSSL_LH_doall (lh=0x800a27240,
>     func=0x8013855c0 <names_lh_free_doall>)
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/lhash/lhash.c:198
> #5  0x0000000801385558 in OBJ_NAME_cleanup (type=1) at obj_lcl.h:12
> #6  0x0000000801392918 in evp_cleanup_int ()
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/evp/names.c:83
> #7  0x000000080146e39d in OPENSSL_cleanup ()
>     at /freebsd/checkout/src/12/crypto/openssl/crypto/init.c:567
> #8  0x00000008007a24e5 in __cxa_finalize (dso=0x0)
>     at /freebsd/checkout/src/12/lib/libc/stdlib/atexit.c:233
> #9  0x00000008007320e1 in exit (status=54947058)
>     at /freebsd/checkout/src/12/lib/libc/stdlib/exit.c:62
> #10 0x0000000800a55118 in ?? ()
> #11 0x00007fffffffeb90 in ?? ()
>
> The one case I could isolate the PHP code is calling
> stream_socket_enable_crypto(), but I suspect there might be others. Is
> anybody else seeing this?
>
>
> Stefan
>
> --
> Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811
>
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>


-- 
Marcel Bonnet
github.com/marcelbonnet/

More information about the freebsd-ports mailing list