Bug 152913

Summary:	PHP segfaults
Product:	[Retired] Fedora Legacy	Reporter:	Need Real Name <perkins>
Component:	General	Assignee:	Fedora Legacy Bugs <bugs>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	deisenst
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	LEGACY, rh73, rh90
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:31:50 UTC

The new php-0-4.1.2-7.3.14.legacy.i386 package segfaults when running Squirrelmail 1.44 under
RHL7.3. This is after restarting Apache a couple of times. This is the 1st time I've come across a
segfault, so I'm not sure if I can be more useful in debugging. The apache logs give messages like:

child pid 30855 exit signal Segmentation fault (11)

Reverting to the previous PHP made that problem dissapear. Otherwise, it hasn't broken any existing
PHP apps on our other non-Squirrelmail boxes.

------- Additional Comments From michal 2005-03-07 08:04:58 ----

I can only say that squirrelmail-1.4.4 runs on RH7.3 with no troubles at
all but using php-4.3.10. So it appears that recent legacy updates either
introduced or unmasked another bug in an older version of PHP.

------- Additional Comments From marcdeslauriers 2005-03-07 08:19:59 ----

squirrelmail 1.4.3a works for me on rh73 using php-4.1.2-7.3.14.

Could you please tell me what the version of packages you have installed?

rpm -q squirrelmail
rpm -q apache
rpm -q php
rpm -q php-imap
rpm -q imap

Thanks.

------- Additional Comments From perkins 2005-03-07 10:35:39 ----

Squirrelmail is installed from tarballs.

Other packages are:

apache-1.3.27-6.legacy
php-4.1.2-7.3.14.legacy
imap-2001a-10

The only php module I use is mysql, for IMAP I use Squirrelmail's built-in functions/classes.

------- Additional Comments From marcdeslauriers 2005-03-07 11:22:43 ----

Can you reproduce the problem at will? Does it segfault when you use a specific
part of squirrelmail?

What version of squirrelmail are you using?
Can you send me the squirrelmail config file?

I would like to reproduce the problem here.

Thanks!

------- Additional Comments From perkins 2005-03-07 12:56:33 ----

Created an attachment (id=1006)
config.php

This is my Squirrelmail config file

------- Additional Comments From perkins 2005-03-07 12:58:25 ----

Created an attachment (id=1007)
php config file from /etc

the only other oddness I can think of about our system is the use of libsafe.
Everything else is current vendor-supplied rpms.

------- Additional Comments From perkins 2005-03-07 13:03:45 ----

This is what's in httpd.conf related to php:

php_admin_value doc_root /home/httpd/html
php_admin_flag short_open_tag off
php_admin_flag safe_mode on
php_admin_value user_dir www
php_admin_flag y2k_compliance on
php_admin_flag display_errors on
php_admin_flag log_errors on
php_admin_flag allow_url_fopen off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster"
php_admin_flag output_buffering on
php_admin_value max_execution_time 20
php_admin_flag safe_mode_gid on

------- Additional Comments From marcdeslauriers 2005-03-07 14:19:44 ----

Where did you get the libsafe rpms? I'll install them here.

Also, how do you reproduce the bug? Just by logging into squirrelmail?

------- Additional Comments From deisenst 2005-03-07 15:39:29 ----

Pardon my saying so, but I don't see a VERIFY vote in bug 2344 for
php-4.1.2-7.3.14.legacy (the PHP package(s) for RH 7.3).

I do see a VERIFY vote there for the RH7.3 version of SAMBA (bug 2344 comment 91),
samba-2.2.12-0.73.7.legacy, but not for php. Is this a problem?

------- Additional Comments From pekkas 2005-03-07 15:45:15 ----

With regard to #9, yes -- this should have been noticed before now :).
However, I actually intended to vote for VERIFY for _php_ packages, I just
cut'n'pasted the note about the wrong package.

------- Additional Comments From perkins 2005-03-08 00:14:38 ----

The libsafe RPMs were from 7.1 powertools.

The segfaults happened before login - the user doesn't even see a page, they just get an error message
from the browser. Not sure if all the libraries are loaded for each Squirrelmail page including the default
page, but it's the most memory-demading PHP app we run. BTW, kernel is 2.4.20-37.7.legacy and the
box has 817 RAM and plenty of it is free, swap is used very little.

------- Additional Comments From h_tom 2005-03-08 06:21:12 ----

Hi..
I've got same problem with legacy php packages (php-4.2.2-17.10.legacy.i386.rpm)
for Redhat 9, tried on 3 machines.. same effect... php seems not working

after downgrade to previous version (php-4.2.2-17.7.legacy.i386.rpm) all again
OK

------- Additional Comments From michal 2005-03-08 07:33:55 ----

A quick look at recent patches for php reveals at least two places with
a weird code. In php-4.1.2-CAN-2004-1019.patch you see:

+ if (*rval == *rval_ref) return 0;
+ if (rval != NULL) {

If rval cannot be NULL then the second test is just a noise. If it can be,
or the same for rval_ref, then you will get a segfault when one of these
NULLs will happen.

The other one which left me gasping is that fragment from
php-4.1.2-openpkg-backport-v2.patch:

- if ( (*offset)->value.lval > shmop->size ) {
+ if (offset < 0 || (*offset)->value.lval > shmop->size ) {

offset is clearly a pointer to a pointer or a remainder of that test does
not make the slightest sense. If so then an (offset < 0) comparison is
an utter bogosity and creates a distinct potential for false positives.
Indeed there is a declaration in a fuction which is using that:

zval **shmid, **data, **offset;

although that function header comment confusingly claims:

proto int shmop_write (int shmid, string data, int offset)

Ugh!!!! I do not say that this is all. It took considerably less time
to find these two then to write this note.

------- Additional Comments From marcdeslauriers 2005-03-08 14:42:50 ----

I see more broken code in the patch backport also :(

I'll fix the patches, create some test packages and post an URL here later tonight.

------- Additional Comments From marcdeslauriers 2005-03-08 15:50:52 ----

Created an attachment (id=1008)
Revised openpkg patch for 7.3

Here is a revised openpkg backport patch for 7.3

------- Additional Comments From marcdeslauriers 2005-03-08 15:52:31 ----

Created an attachment (id=1009)
Revised CAN-2004-1019 for rh73

Here is a revised CAN-2004-1019 patch for rh7.3

Test packages will follow when they finish compiling...

------- Additional Comments From marcdeslauriers 2005-03-08 16:43:12 ----

Hi John,

I have put some test rpms for rh7.3 here:

http://www.infostrategique.com/linuxrpms/marc/phptest/7.3/

Could you please try them out and report back here?

Thanks.

------- Additional Comments From marcdeslauriers 2005-03-08 18:20:59 ----

Tomas,

I have put some test rpms for rh9 here:

http://www.infostrategique.com/linuxrpms/marc/phptest/9/

Could you please try them out and report back here?

Thanks.

------- Additional Comments From perkins 2005-03-08 23:13:14 ----

I tried the posted RPMS for 7.3, and no more segfaults. I'll keep them in production for the rest of the
day (I'm on European time) and see if any trouble develops. Looks good so far.

------- Additional Comments From h_tom 2005-03-08 23:32:51 ----

Hi Marc, thanx for fast reaction...
I've tried posted packages (*-17.11.legacy*) for RH9 and no more segfaults, php
seems working OK now

------- Additional Comments From perkins 2005-03-08 23:55:14 ----

OK, we're experiencing some weirdness. File uploads don't work with Squirrelmail, and you can't send
mail (I think, still looking into it). Error log has entries like:

[Wed Mar 9 09:35:14 2005] [error] PHP Warning: File uploads are disabled in Unknown on line 0

Will have a look into it, see if this is a php.ini issue.

------- Additional Comments From perkins 2005-03-09 00:03:08 ----

Yes, it was a php.ini issue. I uninstalled php before trying your patches, so lost our custom php.ini. All
appears normal now. Sorry.

------- Additional Comments From b.pennacchi.it 2005-03-09 11:42:44 ----

Sorry to barge in, but I have this strong urge to shout "malimortaccitua" to the
guy who wrote the wrong lines in the code of php's 17.10 release... :p

I use apache2, php and mysql on RH9.

When I told yum to update the 17.7 release of php and php-mysql, I was also
editing the config files to get rid of another error cluttering up my log files :-)

So when I restarted the httpd server and saw on the browser this error:

"Warning: Unable to access XÎ¨@/var/www/html/XÎ¨@ in Unknown on line 0 Warning:
Failed opening '/var/www/html/anypagein.php' for inclusion
(include_path='.:/usr/share/pear') in Unknown on line 0"

(please note that the 3 or 4 characters before /var and after html/ may vary
depending on charset settings)

I thought I had hit 2 or 3 non-ascii keys at once somewhere :) and wasted 2
hours in plucking google and config files before thinking that maybe this was
php's idea of segfault :p

*sigh* I know, I'm dense sometimes :)

To make a story short, marc's 17.11 release seems to have fixed this *specific*
error. phew.

------- Additional Comments From marcdeslauriers 2005-03-09 12:24:48 ----

I have prepared official Fedora Legacy packages that I would like to release today.

They are here:
http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/
http://download.fedoralegacy.org/redhat/9/updates-testing/i386/

Could you guys do me a favor and please install these official packages and
confirm everything still works so I can release them? They should be identical
to the test ones in comments 17 and 18, but they have been built on the FL build
server.

Thanks.

Marc.

------- Additional Comments From perkins 2005-03-09 12:49:43 ----

New packages from updates-testing don't obviously segfault. I did a bit of light testing. It's evening
here now so I doubt we'll have much heavy use of the new packages till morning. All is well for now.
Nice one.

------- Additional Comments From b.pennacchi.it 2005-03-09 13:41:29 ----

got the new rh9 packages (php, php-manual and php-mysql release 17.12)
installed 'em with rpm -Fvh over the 17.11, restarted httpd, checked php pages
to see if something broke down, all really a bit quickly, since I wasted too
much time before, as I said earlier :-)

When I'll get more sleep I'll try 'em harder :)

(just a silly question: FC1 wasn't affected by that bug?)

------- Additional Comments From marcdeslauriers 2005-03-09 13:51:31 ----

FC1 wasn't affected as we updated php to 4.3.10 instead of backporting the
openpkg patch. (Of course, by using a newer version of php instead of
backporting patches, we broke people using Zend Optimizer, but that's another
story... :) )

------- Additional Comments From h_tom 2005-03-09 14:06:57 ----

Hi..
tried newer build on my RH9's (*17.12-legacy*) and all OK... good job

good night guys ( 1 AM here ;-)

------- Additional Comments From marcdeslauriers 2005-03-09 14:58:14 ----

Updated packages were officially released to FL updates.

Thanks guys for helping out!

------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2444 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2444
Originally filed under the Fedora Legacy product and General component.
Bug depends on bug(s) 2344 2394.

Attachments:
config.php
https://bugzilla.fedora.us/attachment.cgi?action=view&id=1006
php config file from /etc
https://bugzilla.fedora.us/attachment.cgi?action=view&id=1007
Revised openpkg patch for 7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=1008
Revised CAN-2004-1019 for rh73
https://bugzilla.fedora.us/attachment.cgi?action=view&id=1009

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
This bug either had no qa contact or an invalid one.