Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Follow up on Apache Wierdness

From: Michel Kaempf <maxx () VIA ECP FR>
Date: Fri, 15 Sep 2000 12:43:19 +0200
On Thu, Sep 14, 2000, Max0r wrote:

I am running Apache/1.3.12 with PHP/4.0b4

These are the entries from the apache error_log:

[Thu Sep 7 16:55:56 2000] [error] PHP Fatal error: ht=0818a284 is
already destroyed in zend_hash.c:519 in Unknown on line 0

[Thu Sep 7 16:55:57 2000] [notice] child pid 335 exit signal
Segmentation Fault (11)


Very interesting. I recently saw a core file produced by an Apache/1.3.9
with PHP/3.0.12:

# file core
core: ELF 32-bit LSB core file of 'httpd' (signal 11), Intel 80386, version 1

# grep Segmentation error_log
[notice] child pid 11159 exit signal Segmentation fault (11)
[notice] child pid 30081 exit signal Segmentation fault (11)
[notice] child pid 26236 exit signal Segmentation fault (11)
[notice] child pid 30080 exit signal Segmentation fault (11)

Fortunately, there was still a non stripped version of the httpd binary
somewhere on the system. Here is what I found out with GDB:

# gdb httpd core
Core was generated by `httpd'.
Program terminated with signal 11, Segmentation fault.
#0  _php3_hash_destroy (ht=0x8000004) at php3_hash.c:668
668             p = ht->pListHead;
(gdb) bt
#0  _php3_hash_destroy (ht=0x8000004) at php3_hash.c:668
#1  0x806a183 in pval_destructor (pvalue=0x820bfc8) at variables.c:85
#2  0x8066748 in _php3_hash_destroy (ht=0x81374e0) at php3_hash.c:674
#3  0x80645a7 in php3_request_shutdown (dummy=0x0) at main.c:790
#4  0x80a78be in run_cleanups ()
#5  0x80a5f60 in ap_clear_pool ()
#6  0x80a5fe1 in ap_destroy_pool ()
#7  0x80a5f4f in ap_clear_pool ()
#8  0x80b5f6f in child_main ()
#9  0x80b65c2 in make_child ()
#10 0x80b6956 in perform_idle_server_maintenance ()
#11 0x80b6e95 in standalone_main ()
#12 0x80b7443 in main ()
#13 0x400eaa42 in __libc_start_main () from /lib/libc.so.6

I did not dig further into it, because I did not had the time do so.
But what looks interesting is the fact that the segmentation violation
occurs in php3_hash.c in one case and zend_hash.c in the other case,
files which serve the same purpose but one for PHP3 and the other for
PHP4.

However, the segmentation violation, according to GDB, seems to have
occured when dereferencing ht which perhaps was NULL, or perhaps because
the previous malloc() successfully returned this pointer, but the kernel
did not have enough memory to really allocate the needed space.

If I look at the segmentation violation in both schemes, I would say
that PHP was trying to destroy an already destroyed variable, thus
dereferencing the NULL pointer ht. But I did not look close enough to
the core file and to the PHP sources to be able to say it actually was
this. Any comments? Something else someone would like to know about the
core file? I will try to work on this this weekend, and perhaps it would
be a good idea to write a bugreport to the PHP people.

--
MaXX
Previous By Date Next
Previous By Thread Next

Current thread: