Bug 199947
Summary: | wrong varargs use in php cause crash with KT application | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Bastien Nocera <bnocera> | ||||
Component: | php | Assignee: | Joe Orton <jorton> | ||||
Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | rkhadgar | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-11-30 16:15:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 199938 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Bastien Nocera
2006-07-24 15:19:39 UTC
Created attachment 132922 [details]
php-wrong-varargs.patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. took the php packages from fedora core 3. I removed the php packages I had installed and installed the 4.3.11-2.8.x86_64 version of php, php-pear, php-ldap and php-mysql. This worked the app now works fine and nothing else seems to have broken in the process. This tells me that the problem is definetly somewhere in one of those 4 php packages that comes with RHEL4. I would still like a solution to this because the php packages that I now have installed come with no security updates. PHP has its share of security issues and so I would like to get ones I am sure are being updated, that is afterall the entire point of using RHEL rather than fedora. The patch attached (although correct) isn't enough to fix the problem. Something is fishy in the use of vaargs. Finally managed to get a decent valgrind trace: ==13505== Invalid read of size 1 ==13505== at 0x4A1A932: strlen (mc_replace_strmem.c:245) ==13505== by 0x9BB2919: xbuf_format_converter (spprintf.c:442) ==13505== by 0x9BB2DC5: vspprintf (spprintf.c:645) ==13505== by 0x9BAEEF8: php_error_cb (main.c:602) ==13505== by 0x9BDDAFF: zend_error (zend.c:817) ==13505== by 0x9BE92DE: zend_fetch_var_address (zend_execute.c:594) ==13505== by 0x9BEC923: execute (zend_execute.c:1267) ==13505== by 0x9BEF011: execute (zend_execute.c:2210) ==13505== by 0x9BDDC4D: zend_execute_scripts (zend.c:891) ==13505== by 0x9BB1432: php_execute_script (main.c:1752) ==13505== by 0x9BF87B8: php_handler (sapi_apache2.c:575) ==13505== by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd) ==13505== Address 0xDE86330 is 0 bytes after a block of size 32 alloc'd ==13505== at 0x4A18B4E: malloc (vg_replace_malloc.c:149) ==13505== by 0x9BCC551: _emalloc (zend_alloc.c:164) ==13505== by 0x9BCCC8E: _estrndup (zend_alloc.c:381) ==13505== by 0x9BC7BDC: lex_scan (zend_language_scanner.c:4502) ==13505== by 0x9BD2D82: zendlex (zend_compile.c:2466) ==13505== by 0x9BC33A7: zendparse (zend_language_parser.c:2053) ==13505== by 0x9BCABCD: compile_file (zend_language_scanner.c:3110) ==13505== by 0x9BEEF4F: execute (zend_execute.c:2161) ==13505== by 0x9BDDC4D: zend_execute_scripts (zend.c:891) ==13505== by 0x9BB1432: php_execute_script (main.c:1752) ==13505== by 0x9BF87B8: php_handler (sapi_apache2.c:575) ==13505== by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd) ==13505== ==13505== Invalid read of size 1 ==13505== at 0x4A1A943: strlen (mc_replace_strmem.c:245) ==13505== by 0x9BB2919: xbuf_format_converter (spprintf.c:442) ==13505== by 0x9BB2DC5: vspprintf (spprintf.c:645) ==13505== by 0x9BAEEF8: php_error_cb (main.c:602) ==13505== by 0x9BDDAFF: zend_error (zend.c:817) ==13505== by 0x9BE92DE: zend_fetch_var_address (zend_execute.c:594) ==13505== by 0x9BEC923: execute (zend_execute.c:1267) ==13505== by 0x9BEF011: execute (zend_execute.c:2210) ==13505== by 0x9BDDC4D: zend_execute_scripts (zend.c:891) ==13505== by 0x9BB1432: php_execute_script (main.c:1752) ==13505== by 0x9BF87B8: php_handler (sapi_apache2.c:575) ==13505== by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd) ==13505== Address 0xDE86331 is 1 bytes after a block of size 32 alloc'd ==13505== at 0x4A18B4E: malloc (vg_replace_malloc.c:149) ==13505== by 0x9BCC551: _emalloc (zend_alloc.c:164) ==13505== by 0x9BCCC8E: _estrndup (zend_alloc.c:381) ==13505== by 0x9BC7BDC: lex_scan (zend_language_scanner.c:4502) ==13505== by 0x9BD2D82: zendlex (zend_compile.c:2466) ==13505== by 0x9BC33A7: zendparse (zend_language_parser.c:2053) ==13505== by 0x9BCABCD: compile_file (zend_language_scanner.c:3110) ==13505== by 0x9BEEF4F: execute (zend_execute.c:2161) ==13505== by 0x9BDDC4D: zend_execute_scripts (zend.c:891) ==13505== by 0x9BB1432: php_execute_script (main.c:1752) ==13505== by 0x9BF87B8: php_handler (sapi_apache2.c:575) ==13505== by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd) The one crashing is like the 10th in the list: Breakpoint 1, xbuf_format_converter (xbuf=0x7fbffece10, fmt=0x2a9a691e68 "%s(%s): %s", ap_orig=0x7fbffecf40) at /usr/src/debug/php-4.3.9/main/spprintf.c:236 #0 xbuf_format_converter (xbuf=0x7fbffece10, fmt=0x2a9a691e68 "%s(%s): %s", ap_orig=0x7fbffecf40) at /usr/src/debug/php-4.3.9/main/spprintf.c:236 #1 0x0000002a9a632dc6 in vspprintf (pbuf=0x7fbffeceb0, max_len=Variable "max_len" is not available. ) at /usr/src/debug/php-4.3.9/main/spprintf.c:645 #2 0x0000002a9a62eef9 in php_error_cb (type=2, error_filename=0x552b0383c8 "/var/www/html/kt/lib/cache/cache.inc.php", error_lineno=40, format=Variable "format" is not available. ) at /usr/src/debug/php-4.3.9/main/main.c:602 #3 0x0000002a9a65db00 in zend_error (type=2, format=0x2a9a691e68 "%s(%s): %s") at /usr/src/debug/php-4.3.9/Zend/zend.c:817 #4 0x0000002a9a62e830 in php_verror (docref=0x552bbb24f8 "function.mkdir", params=0x552aff5a68 "/var/www/html/kt/var/cache/apache/", type=2, format=Variable "format" is not available. ) at /usr/src/debug/php-4.3.9/main/main.c:509 #5 0x0000002a9a62ed90 in php_error_docref1 (docref=Variable "docref" is not available. Patrick, Joe, any ideas? This patch fixed in the -3.22 update, so this should be fixed now. |