Bug 199947

Summary: wrong varargs use in php cause crash with KT application
Product: Red Hat Enterprise Linux 4 Reporter: Bastien Nocera <bnocera>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: rkhadgar
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-30 16:15:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 199938    
Bug Blocks:    
Attachments:
Description Flags
php-wrong-varargs.patch none

Description Bastien Nocera 2006-07-24 15:19:39 UTC 
php-4.3.9-3.15

1. Download  knowledgetree source version 3.0.3b from their website, ktdms.com.  
( http://prdownloads.sourceforge.net/kt-dms/knowledgeTree-3.0.3b.tgz?download )
2. Uncompress it and move it /var/www/html/kt.
3. From the KT root directory run the following commands, to setup mysql:
cd /var/www/html/kt/sql/mysql/install/
sh rebuild.sh
4. Go to http://localhost/setup/ and this runs a simple php script to check and
make sure the prereqs are there. This works fine for me as does the postinstall
script linked from here.
5. go to the webroot http://localhost/kt/
6. see httpd crashing

GNU gdb Red Hat Linux (6.3.0.0-1.96rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db
library "/lib64/tls/libthread_db.so.1".

(gdb) run -X
Starting program: /usr/sbin/httpd -X
[Thread debugging using libthread_db enabled]
[New Thread 182925685056 (LWP 27214)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182925685056 (LWP 27214)]
0x0000002a96666f20 in strlen () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x0000002a96666f20 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a9a067721 in vspprintf (pbuf=0x7fbfff2c50, max_len=) at
/usr/src/debug/php-4.3.9/main/spprintf.c:438
#2  0x0000002a9a063ef9 in php_error_cb (type=2, 
    error_filename=0x552bd1d768
"/var/www/html/kt/lib/documentmanagement/PhysicalDocumentManager.inc", 
    error_lineno=31, format=) at /usr/src/debug/php-4.3.9/main/main.c:602
#3  0x0000002a9a092b20 in zend_error (type=2, format=0x2a9a0c6e90 "%s(%s): %s")
    at /usr/src/debug/php-4.3.9/Zend/zend.c:817
#4  0x0000002a9a063830 in php_verror (docref=0x552bd1db38 "function.dl",
params=0x2a9a0ba14d "", type=2, format=)
    at /usr/src/debug/php-4.3.9/main/main.c:509
#5  0x0000002a9a063c0f in php_error_docref0 (docref=) at
/usr/src/debug/php-4.3.9/main/main.c:554
#6  0x0000002a9a014151 in php_dl (file=0x552bd1d8b8, type=2,
return_value=0x552bd1db88)
    at /usr/src/debug/php-4.3.9/ext/standard/dl.c:143
#7  0x0000002a9a014302 in zif_dl (ht=) at
/usr/src/debug/php-4.3.9/ext/standard/dl.c:84
#8  0x0000002a9a0a6245 in execute (op_array=0x552bd1d808) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:1640
#9  0x0000002a9a0a4032 in execute (op_array=0x552bcd9438) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:2210
#10 0x0000002a9a0a4032 in execute (op_array=0x552bcadfd8) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:2210
#11 0x0000002a9a0a4032 in execute (op_array=0x552b9b1cc8) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:2210
#12 0x0000002a9a0a3376 in execute (op_array=0x552b9a9238) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:1684
#13 0x0000002a9a0a3376 in execute (op_array=0x552adbb318) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:1684
#14 0x0000002a9a0a4032 in execute (op_array=0x552adbaf08) at
/usr/src/debug/php-4.3.9/Zend/zend_execute.c:2210
#15 0x0000002a9a092c6e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/debug/php-4.3.9/Zend/zend.c:891
#16 0x0000002a9a066433 in php_execute_script (primary_file=0x7fbffff400) at
/usr/src/debug/php-4.3.9/main/main.c:1752
#17 0x0000002a9a0ad7d9 in php_handler (r=0x552adaf5c8)
    at /usr/src/debug/php-4.3.9/sapi/apache2handler/sapi_apache2.c:575
#18 0x000000552aac79e3 in ap_run_handler (r=0x552adaf5c8) at
/usr/src/debug/httpd-2.0.52/server/config.c:156
#19 0x000000552aac7ea1 in ap_invoke_handler (r=0x552adaf5c8) at
/usr/src/debug/httpd-2.0.52/server/config.c:368
#20 0x000000552aac4ca8 in ap_process_request (r=0x552adaf5c8)
    at /usr/src/debug/httpd-2.0.52/modules/http/http_request.c:246
#21 0x000000552aac0089 in ap_process_http_connection (c=0x552ada9318)
    at /usr/src/debug/httpd-2.0.52/modules/http/http_core.c:250
#22 0x000000552aad1683 in ap_run_process_connection (c=0x552ada9318)
    at /usr/src/debug/httpd-2.0.52/server/connection.c:42
#23 0x000000552aac5b10 in child_main (child_num_arg=) at
/usr/src/debug/httpd-2.0.52/server/mpm/prefork/prefork.c:609
#24 0x000000552aac5dad in make_child (s=0x552ac03620, slot=0)
    at /usr/src/debug/httpd-2.0.52/server/mpm/prefork/prefork.c:649
#25 0x000000552aac5e94 in startup_children (number_to_start=8)
    at /usr/src/debug/httpd-2.0.52/server/mpm/prefork/prefork.c:721
#26 0x000000552aac65cb in ap_mpm_run (_pconf=0x552abfe138, plog=)
    at /usr/src/debug/httpd-2.0.52/server/mpm/prefork/prefork.c:940
#27 0x000000552aacccdf in main (argc=2, argv=0x7fbffff9c8) at
/usr/src/debug/httpd-2.0.52/server/main.c:618

Patch attached.
Comment 1 Bastien Nocera 2006-07-24 15:19:40 UTC 
Created attachment 132922 [details]
php-wrong-varargs.patch
Comment 8 RHEL Program Management 2006-08-18 14:59:23 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 ritz 2006-08-31 21:56:25 UTC 
took the php packages from fedora core 3. I removed the php packages I had
installed and installed the 4.3.11-2.8.x86_64 version of php, php-pear,
php-ldap and php-mysql. This worked the app now works fine and nothing else
seems to have broken in the process.

This tells me that the problem is definetly somewhere in one of those 4 php
packages that comes with RHEL4. I would still like a solution to this
because the php packages that I now have installed come with no security
updates. PHP has its share of security issues and so I would like to get
ones I am sure are being updated, that is afterall the entire point of
using RHEL rather than fedora.
Comment 14 Bastien Nocera 2006-09-20 16:37:10 UTC 
The patch attached (although correct) isn't enough to fix the problem. Something
is fishy in the use of vaargs.

Finally managed to get a decent valgrind trace:

==13505== Invalid read of size 1
==13505==    at 0x4A1A932: strlen (mc_replace_strmem.c:245)
==13505==    by 0x9BB2919: xbuf_format_converter (spprintf.c:442)
==13505==    by 0x9BB2DC5: vspprintf (spprintf.c:645)
==13505==    by 0x9BAEEF8: php_error_cb (main.c:602)
==13505==    by 0x9BDDAFF: zend_error (zend.c:817)
==13505==    by 0x9BE92DE: zend_fetch_var_address (zend_execute.c:594)
==13505==    by 0x9BEC923: execute (zend_execute.c:1267)
==13505==    by 0x9BEF011: execute (zend_execute.c:2210)
==13505==    by 0x9BDDC4D: zend_execute_scripts (zend.c:891)
==13505==    by 0x9BB1432: php_execute_script (main.c:1752)
==13505==    by 0x9BF87B8: php_handler (sapi_apache2.c:575)
==13505==    by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd)
==13505==  Address 0xDE86330 is 0 bytes after a block of size 32 alloc'd
==13505==    at 0x4A18B4E: malloc (vg_replace_malloc.c:149)
==13505==    by 0x9BCC551: _emalloc (zend_alloc.c:164)
==13505==    by 0x9BCCC8E: _estrndup (zend_alloc.c:381)
==13505==    by 0x9BC7BDC: lex_scan (zend_language_scanner.c:4502)
==13505==    by 0x9BD2D82: zendlex (zend_compile.c:2466)
==13505==    by 0x9BC33A7: zendparse (zend_language_parser.c:2053)
==13505==    by 0x9BCABCD: compile_file (zend_language_scanner.c:3110)
==13505==    by 0x9BEEF4F: execute (zend_execute.c:2161)
==13505==    by 0x9BDDC4D: zend_execute_scripts (zend.c:891)
==13505==    by 0x9BB1432: php_execute_script (main.c:1752)
==13505==    by 0x9BF87B8: php_handler (sapi_apache2.c:575)
==13505==    by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd)
==13505==
==13505== Invalid read of size 1
==13505==    at 0x4A1A943: strlen (mc_replace_strmem.c:245)
==13505==    by 0x9BB2919: xbuf_format_converter (spprintf.c:442)
==13505==    by 0x9BB2DC5: vspprintf (spprintf.c:645)
==13505==    by 0x9BAEEF8: php_error_cb (main.c:602)
==13505==    by 0x9BDDAFF: zend_error (zend.c:817)
==13505==    by 0x9BE92DE: zend_fetch_var_address (zend_execute.c:594)
==13505==    by 0x9BEC923: execute (zend_execute.c:1267)
==13505==    by 0x9BEF011: execute (zend_execute.c:2210)
==13505==    by 0x9BDDC4D: zend_execute_scripts (zend.c:891)
==13505==    by 0x9BB1432: php_execute_script (main.c:1752)
==13505==    by 0x9BF87B8: php_handler (sapi_apache2.c:575)
==13505==    by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd)
==13505==  Address 0xDE86331 is 1 bytes after a block of size 32 alloc'd
==13505==    at 0x4A18B4E: malloc (vg_replace_malloc.c:149)
==13505==    by 0x9BCC551: _emalloc (zend_alloc.c:164)
==13505==    by 0x9BCCC8E: _estrndup (zend_alloc.c:381)
==13505==    by 0x9BC7BDC: lex_scan (zend_language_scanner.c:4502)
==13505==    by 0x9BD2D82: zendlex (zend_compile.c:2466)
==13505==    by 0x9BC33A7: zendparse (zend_language_parser.c:2053)
==13505==    by 0x9BCABCD: compile_file (zend_language_scanner.c:3110)
==13505==    by 0x9BEEF4F: execute (zend_execute.c:2161)
==13505==    by 0x9BDDC4D: zend_execute_scripts (zend.c:891)
==13505==    by 0x9BB1432: php_execute_script (main.c:1752)
==13505==    by 0x9BF87B8: php_handler (sapi_apache2.c:575)
==13505==    by 0x1D9E2: ap_run_handler (in /usr/sbin/httpd)

The one crashing is like the 10th in the list:
Breakpoint 1, xbuf_format_converter (xbuf=0x7fbffece10,
    fmt=0x2a9a691e68 "%s(%s): %s", ap_orig=0x7fbffecf40)
    at /usr/src/debug/php-4.3.9/main/spprintf.c:236

#0  xbuf_format_converter (xbuf=0x7fbffece10, fmt=0x2a9a691e68 "%s(%s): %s",
    ap_orig=0x7fbffecf40) at /usr/src/debug/php-4.3.9/main/spprintf.c:236
#1  0x0000002a9a632dc6 in vspprintf (pbuf=0x7fbffeceb0, max_len=Variable
"max_len" is not available.
)
    at /usr/src/debug/php-4.3.9/main/spprintf.c:645
#2  0x0000002a9a62eef9 in php_error_cb (type=2,
    error_filename=0x552b0383c8 "/var/www/html/kt/lib/cache/cache.inc.php",
    error_lineno=40, format=Variable "format" is not available.
) at /usr/src/debug/php-4.3.9/main/main.c:602
#3  0x0000002a9a65db00 in zend_error (type=2, format=0x2a9a691e68 "%s(%s): %s")
    at /usr/src/debug/php-4.3.9/Zend/zend.c:817
#4  0x0000002a9a62e830 in php_verror (docref=0x552bbb24f8 "function.mkdir",
    params=0x552aff5a68 "/var/www/html/kt/var/cache/apache/", type=2,
format=Variable "format" is not available.
)
    at /usr/src/debug/php-4.3.9/main/main.c:509
#5  0x0000002a9a62ed90 in php_error_docref1 (docref=Variable "docref" is not
available.
Comment 15 Bastien Nocera 2006-09-20 16:48:02 UTC 
Patrick, Joe, any ideas?
Comment 26 Joe Orton 2006-11-30 16:15:12 UTC 
This patch fixed in the -3.22 update, so this should be fixed now.