Bug 1398474

Summary:	PHP PCRE JIT (enabled by default) causes httpd to execmem (so a flood of AVCs)
Product:	[Fedora] Fedora	Reporter:	Adam Williamson <awilliam>
Component:	php	Assignee:	Remi Collet <fedora>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	25	CC:	fedora, jorton, public
Target Milestone:	---	Keywords:	CommonBugs
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	https://fedoraproject.org/wiki/Common_F25_bugs#php-execmem
Fixed In Version:	php-7.0.13-2.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-12-04 02:24:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Adam Williamson 2016-11-25 00:14:29 UTC

I just upgraded my web server to Fedora 25. Soon as HTTP and php-fpm-server start up, floods of AVCs start appearing in the system log:

Nov 24 15:45:30 www.happyassassin.net audit[6584]: AVC avc:  denied  { execmem } for  pid=6584 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

there are hundreds of them. Using the technique found at https://unix.stackexchange.com/questions/287831/how-to-work-out-why-apache-is-attempting-execmem , I got the same result multiple people got there: it's caused by the PHP PCRE JIT feature, which is enabled by default, in 7.0.

If I edit /etc/php.ini and change this line:

;pcre.jit=1

to:

pcre.jit=0

the problem goes away. If we can't fix this not to use execmem, we should flip the default for that setting.

Note that even though the docs claim it can be set anywhere, if I create a /etc/php.d/99-happyassassin.ini with this content:

[Pcre]
pcre.jit=0

it doesn't seem to work, execmems still occur. Not sure what's going on with that.

Comment 1 Remi Collet 2016-11-25 05:36:51 UTC

I cannot reproduce the ini file issue... strange, works for me (try without the section name, which is uneeded)

Indeed, I can reproduce the AVC and indeed switching pcre.jit=0 fix it

I will update the provided configuration in next build (7.0.14 planed for Dec 8th)

Comment 2 Remi Collet 2016-11-25 05:56:11 UTC

F26/PHP-7.1:  http://pkgs.fedoraproject.org/cgit/rpms/php.git/commit/?id=f5482baa0c1ae8a3063bbaf342ea7634f759d4de

F25/PHP-7.0: http://pkgs.fedoraproject.org/cgit/rpms/php.git/commit/?h=f25&id=2bc76e8f1bfcc41a89d2146e234b5de5c8f227e9

Comment 3 Adam Williamson 2016-11-25 06:14:46 UTC

thanks for that. the only thing that worries me is that many people will have modified php.ini locally and so will not get the change. could we flip the default in the code so that you have to have an explicit '=1' in config somewhere to get it?

Comment 4 Remi Collet 2016-11-25 06:32:31 UTC

Indeed, I usually never alter provided configuration in stable branch.

BTW:
- F25 is just released
- this AVC is not critical (it still works)
- I want to avoid non-upstream patch as much as possible

My plan is to talk with upstream about this default value.

Comment 5 Adam Williamson 2016-11-25 06:35:07 UTC

These days people probably are probably more likely to use php.d files (still can't figure out why I can't turn this off with one, though - yes, I've tried without a module name...), but it was pretty common practice for a long time to edit php.ini directly...

the AVC isn't critical indeed, but it absolutely spams the system logs, as it occurs dozens or hundreds of times a minute (for me at least) and winds up in both the journal and audit.log.

Ideal fix would, I guess, be to make the JIT thing work without needing execmem in the first place. No idea how possible/hard that is.

Comment 6 Fedora Update System 2016-11-25 07:31:16 UTC

php-7.0.13-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5

Comment 7 Remi Collet 2016-11-25 07:54:32 UTC

Notice: bug #1290432

Comment 8 Fedora Update System 2016-11-27 22:58:43 UTC

php-7.0.13-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5

Comment 9 Adam Williamson 2016-11-28 21:24:34 UTC

Also see pcre upstream bug: https://bugs.exim.org/show_bug.cgi?id=1749

Comment 10 Fedora Update System 2016-12-04 02:24:38 UTC

php-7.0.13-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 gaxweb 2017-11-15 08:34:06 UTC

Error still keeps coming up on Fedora 26 and PHP 7.1.11.

Comment 12 Remi Collet 2017-11-15 08:51:35 UTC

@gaxweb, check your pcre.jit configuration
(should be 0 from default provided configuration file)

Comment 13 gaxweb 2017-11-15 10:27:26 UTC

(In reply to Remi Collet from comment #12)
> @gaxweb, check your pcre.jit configuration
> (should be 0 from default provided configuration file)

I'm aware of that workaround. It's not a solution though, and the bot has closed the bug, which is why I replied. I'm also aware that it's being worked on elsewhere.

Comment 14 Remi Collet 2017-11-15 10:30:26 UTC

Default php.ini use pcre.jit=0

If you have altered your configuration, RPM cannot do anything else (one of the reason, changing php.ini is terribly bad idea, and the worst way to change php configuration)