Bug 1576085 - Segmentation fault during zend module startup
Summary: Segmentation fault during zend module startup
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: php
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Remi Collet
QA Contact: RHEL Stacks Subsystem QE
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-08 18:55 UTC by David Mulford
Modified: 2021-01-14 09:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-11 21:41:28 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description David Mulford 2018-05-08 18:55:28 UTC
Description of problem:

Description of problem:

A segmentation fault is occurring when performing OpenSSL module initialization during PHP startup. PHP is being run as an Apache httpd handler.

Here is the full backtrace:

#0  __strrchr_sse42 () at ../sysdeps/x86_64/multiarch/strrchr.S:138
#1  0x000055d1caa4985a in zend_register_constant (c=c@entry=0x7fff89a4f8a0) at /usr/src/debug/php-5.4.16/Zend/zend_constants.c:502
#2  0x000055d1caa49eea in zend_register_stringl_constant (name=name@entry=0x55d1cab1791f "OPENSSL_VERSION_TEXT", name_len=name_len@entry=21, 
    strval=strval@entry=0x55d1cab187b8 "OpenSSL 1.0.2k-fips  26 Jan 2017", strlen=<optimized out>, flags=flags@entry=3, module_number=module_number@entry=5)
    at /usr/src/debug/php-5.4.16/Zend/zend_constants.c:218
#3  0x000055d1caa49f4d in zend_register_string_constant (name=name@entry=0x55d1cab1791f "OPENSSL_VERSION_TEXT", name_len=name_len@entry=21, 
    strval=strval@entry=0x55d1cab187b8 "OpenSSL 1.0.2k-fips  26 Jan 2017", flags=flags@entry=3, module_number=module_number@entry=5)
    at /usr/src/debug/php-5.4.16/Zend/zend_constants.c:224
#4  0x000055d1ca8eab90 in zm_startup_openssl (type=<optimized out>, module_number=5) at /usr/src/debug/php-5.4.16/ext/openssl/openssl.c:1062
#5  0x000055d1caa5bac5 in zend_startup_module_ex (module=0x55d1caebb860) at /usr/src/debug/php-5.4.16/Zend/zend_API.c:1696
#6  0x000055d1caa67d65 in zend_hash_apply (ht=ht@entry=0x55d1cae634e0 <module_registry>, apply_func=apply_func@entry=0x55d1caa5b9b0 <zend_startup_module_ex>)
    at /usr/src/debug/php-5.4.16/Zend/zend_hash.c:716
#7  0x000055d1caa5f98a in zend_startup_modules () at /usr/src/debug/php-5.4.16/Zend/zend_API.c:1823
#8  0x000055d1ca9fa1fd in php_module_startup (sf=<optimized out>, additional_modules=additional_modules@entry=0x0, num_additional_modules=num_additional_modules@entry=0)
    at /usr/src/debug/php-5.4.16/main/main.c:2212
#9  0x000055d1cab0651d in php_cli_startup (sapi_module=<optimized out>) at /usr/src/debug/php-5.4.16/sapi/cli/php_cli.c:414
#10 0x000055d1ca8b3c1e in main (argc=4, argv=0x7fff89a50ef8) at /usr/src/debug/php-5.4.16/sapi/cli/php_cli.c:1344

In frame #1, the first argument to strrchr() is NULL:

(gdb) frame 1
#1  0x000055d1caa4985a in zend_register_constant (c=c@entry=0x7fff89a4f8a0) at /usr/src/debug/php-5.4.16/Zend/zend_constants.c:502
502			char *slash = strrchr(c->name, '\\');

(gdb) print c->name
$10 = 0x0

However, moving up one frame in the stack the first argument to zend_register_stringl_constant() contains a valid value.

(gdb) frame 2
#2  0x000055d1caa49eea in zend_register_stringl_constant (name=name@entry=0x55d1cab1791f "OPENSSL_VERSION_TEXT", name_len=name_len@entry=21, 
    strval=strval@entry=0x55d1cab187b8 "OpenSSL 1.0.2k-fips  26 Jan 2017", strlen=<optimized out>, flags=flags@entry=3, module_number=module_number@entry=5)
    at /usr/src/debug/php-5.4.16/Zend/zend_constants.c:218
218		zend_register_constant(&c TSRMLS_CC);

(gdb) print name
$13 = 0x55d1cab1791f "OPENSSL_VERSION_TEXT"

The name variable is copied via zend_strndup() which simply uses malloc() and memcpy() to duplicate the string. But the function also doesn't check errno when malloc() returns NULL. Here is the complete zend_strndup() function:

ZEND_API char *zend_strndup(const char *s, uint length)
  char *p;


  p = (char *) malloc(length+1);
  if (UNEXPECTED(p == NULL)) {
    return p;
  if (length) {
    memcpy(p, s, length);
  p[length] = 0; 
  return p;

I think the UNEXPECTED(p == NULL) is returning true, otherwise later in the function p[length] would crash -- assuming malloc() did indeed return NULL.

Version-Release number of selected component (if applicable):
- RHEL 7.5
- php-5.4.16-45.el7.x86_64
- httpd-2.4.6-80.el7.x86_64

Actual results:

Segmentation fault

Expected results:

PHP initializes and runs correctly.

Additional info:

Working on a reproducer environment, but we do know that Mediawiki is involved.

Comment 5 Chris Williams 2020-11-11 21:41:28 UTC
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7.
From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. 

From the RHEL life cycle page:
"During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."

If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes:

Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. 

Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns.  

[0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7

Note You need to log in before you can comment on or make changes to this bug.