Bug 1398474 - PHP PCRE JIT (enabled by default) causes httpd to execmem (so a flood of AVCs)
Summary: PHP PCRE JIT (enabled by default) causes httpd to execmem (so a flood of AVCs)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: php
Version: 25
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Remi Collet
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: https://fedoraproject.org/wiki/Common...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-25 00:14 UTC by Adam Williamson
Modified: 2017-11-15 10:30 UTC (History)
3 users (show)

Fixed In Version: php-7.0.13-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-04 02:24:38 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2016-11-25 00:14:29 UTC
I just upgraded my web server to Fedora 25. Soon as HTTP and php-fpm-server start up, floods of AVCs start appearing in the system log:

Nov 24 15:45:30 www.happyassassin.net audit[6584]: AVC avc:  denied  { execmem } for  pid=6584 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

there are hundreds of them. Using the technique found at https://unix.stackexchange.com/questions/287831/how-to-work-out-why-apache-is-attempting-execmem , I got the same result multiple people got there: it's caused by the PHP PCRE JIT feature, which is enabled by default, in 7.0.

If I edit /etc/php.ini and change this line:

;pcre.jit=1

to:

pcre.jit=0

the problem goes away. If we can't fix this not to use execmem, we should flip the default for that setting.

Note that even though the docs claim it can be set anywhere, if I create a /etc/php.d/99-happyassassin.ini with this content:

[Pcre]
pcre.jit=0

it doesn't seem to work, execmems still occur. Not sure what's going on with that.

Comment 1 Remi Collet 2016-11-25 05:36:51 UTC
I cannot reproduce the ini file issue... strange, works for me (try without the section name, which is uneeded)

Indeed, I can reproduce the AVC and indeed switching pcre.jit=0 fix it

I will update the provided configuration in next build (7.0.14 planed for Dec 8th)

Comment 3 Adam Williamson 2016-11-25 06:14:46 UTC
thanks for that. the only thing that worries me is that many people will have modified php.ini locally and so will not get the change. could we flip the default in the code so that you have to have an explicit '=1' in config somewhere to get it?

Comment 4 Remi Collet 2016-11-25 06:32:31 UTC
Indeed, I usually never alter provided configuration in stable branch.

BTW:
- F25 is just released
- this AVC is not critical (it still works)
- I want to avoid non-upstream patch as much as possible

My plan is to talk with upstream about this default value.

Comment 5 Adam Williamson 2016-11-25 06:35:07 UTC
These days people probably are probably more likely to use php.d files (still can't figure out why I can't turn this off with one, though - yes, I've tried without a module name...), but it was pretty common practice for a long time to edit php.ini directly...

the AVC isn't critical indeed, but it absolutely spams the system logs, as it occurs dozens or hundreds of times a minute (for me at least) and winds up in both the journal and audit.log.

Ideal fix would, I guess, be to make the JIT thing work without needing execmem in the first place. No idea how possible/hard that is.

Comment 6 Fedora Update System 2016-11-25 07:31:16 UTC
php-7.0.13-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5

Comment 7 Remi Collet 2016-11-25 07:54:32 UTC
Notice: bug #1290432

Comment 8 Fedora Update System 2016-11-27 22:58:43 UTC
php-7.0.13-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5

Comment 9 Adam Williamson 2016-11-28 21:24:34 UTC
Also see pcre upstream bug: https://bugs.exim.org/show_bug.cgi?id=1749

Comment 10 Fedora Update System 2016-12-04 02:24:38 UTC
php-7.0.13-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 gaxweb 2017-11-15 08:34:06 UTC
Error still keeps coming up on Fedora 26 and PHP 7.1.11.

Comment 12 Remi Collet 2017-11-15 08:51:35 UTC
@gaxweb, check your pcre.jit configuration
(should be 0 from default provided configuration file)

Comment 13 gaxweb 2017-11-15 10:27:26 UTC
(In reply to Remi Collet from comment #12)
> @gaxweb, check your pcre.jit configuration
> (should be 0 from default provided configuration file)

I'm aware of that workaround. It's not a solution though, and the bot has closed the bug, which is why I replied. I'm also aware that it's being worked on elsewhere.

Comment 14 Remi Collet 2017-11-15 10:30:26 UTC
Default php.ini use pcre.jit=0

If you have altered your configuration, RPM cannot do anything else (one of the reason, changing php.ini is terribly bad idea, and the worst way to change php configuration)


Note You need to log in before you can comment on or make changes to this bug.