Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If Runkit only run in CLI mode ? #100

Open
kran opened this issue Mar 24, 2016 · 10 comments
Open

If Runkit only run in CLI mode ? #100

kran opened this issue Mar 24, 2016 · 10 comments

Comments

@kran
Copy link

kran commented Mar 24, 2016

I just tested it with php-5.6
./bin/php path/to/test.php works as expected,
but with php-fpm , it kills fpm process:

[24-Mar-2016 18:15:46] WARNING: [pool www] child 23016 exited on signal 11 (SIGSEGV) after 185.581668 seconds from start

What can I do now ?
@kran
Copy link
Author

kran commented Mar 24, 2016

I notice the document says:

Sandboxing is ONLY AVAILABLE in PHP 5.1

so sad..

@kran
Copy link
Author

kran commented Mar 24, 2016

But .. but this page show it at least supports 5.4.9 :http://news.php.net/php.bugs/196299
I find that new Runkit_Sandbox([]) cause the segment fault.
I am trying to get a coredump file .

@kran
Copy link
Author

kran commented Mar 24, 2016

1804 line in runkit_sandbox.c
php_request_shutdown crash the fcgi process?
fcgi_finish_request(req,force_close)
req param is 0x0

backtrace:

#0  fcgi_finish_request (req=0x0, force_close=force_close@entry=0) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fastcgi.c:1073
#1  0x00000000007c9bfe in sapi_cgi_deactivate (tsrm_ls=<optimized out>) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fpm_main.c:851
#2  0x0000000000696865 in sapi_deactivate (tsrm_ls=tsrm_ls@entry=0x271b5f0) at /usr/local/src/php-5.5.33/main/SAPI.c:536
#3  0x000000000068d06a in php_request_shutdown (dummy=dummy@entry=0x271b5f0) at /usr/local/src/php-5.5.33/main/main.c:1822
#4  0x00007f44b6fd1863 in php_runkit_sandbox_dtor (objval=0x7f44bfaa23b8, tsrm_ls=<optimized out>) at /usr/local/src/runkit/runkit_sandbox.c:1804
#5  0x0000000000726dc8 in zend_objects_store_del_ref_by_handle_ex (handle=1, handlers=<optimized out>, tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_objects_API.c:226
#6  0x0000000000726e1e in zend_objects_store_del_ref (zobject=0x7f44bfaa21e8, tsrm_ls=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_objects_API.c:178
#7  0x00000000006e96d0 in _zval_dtor (zvalue=0x7f44bfaa21e8) at /usr/local/src/php-5.5.33/Zend/zend_variables.h:35
#8  i_zval_ptr_dtor (zval_ptr=0x7f44bfaa21e8) at /usr/local/src/php-5.5.33/Zend/zend_execute.h:81
#9  _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/local/src/php-5.5.33/Zend/zend_execute_API.c:423
#10 0x0000000000708355 in zend_hash_apply_deleter (ht=ht@entry=0x24fe8d8, p=p@entry=0x7f44bfaa2468) at /usr/local/src/php-5.5.33/Zend/zend_hash.c:650
#11 0x0000000000709f5b in zend_hash_reverse_apply (ht=0x24fe8d8, apply_func=apply_func@entry=0x6e9650 <zval_call_destructor>, tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_hash.c:804
#12 0x00000000006e9c8e in shutdown_destructors (tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_execute_API.c:214
#13 0x00000000006fadf7 in zend_call_destructors (tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend.c:930
#14 0x000000000068cfe2 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/local/src/php-5.5.33/main/main.c:1754
#15 0x0000000000424685 in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fpm_main.c:1981

@zenovich
Copy link
Owner

Try to change the expression 'req->fd >= 0' into 'req && req->fd >= 0' here
https://github.com/php/php-src/blob/PHP-5.5.33/sapi/fpm/fpm/fastcgi.c#L1073
or here https://github.com/php/php-src/blob/PHP-5.6.20/sapi/fpm/fpm/fastcgi.c#L1073

@kran
Copy link
Author

kran commented Mar 25, 2016

@zenovich Thanks, It works fine now .
Is this the debug step or the final solution ?

@zenovich
Copy link
Owner

I hope it is a final solution. I suggest reporting this bug to php-fpm's authors.

@alexanderilyin
Copy link

@anight @tony2001 maybe you're interested in this.

@ghost
Copy link

ghost commented May 15, 2019
edited by ghost
Loading

Try to change the expression 'req->fd >= 0' into 'req && req->fd >= 0' here
https://github.com/php/php-src/blob/PHP-5.5.33/sapi/fpm/fpm/fastcgi.c#L1073
or here https://github.com/php/php-src/blob/PHP-5.6.20/sapi/fpm/fpm/fastcgi.c#L1073

@zenovich
I found this bug in a few different SAPIs, using php binaries with WinAPI (procedure calls) is also causing this.
For example: php4delphi (if you wish to test, you can find my fork, which is 5.6-compatible)

@ghost
Copy link

ghost commented May 15, 2019

I notice the document says:

Sandboxing is ONLY AVAILABLE in PHP 5.1

so sad..

With php 5.3 and 5.4 it works pretty well, maybe sandboxing is for all php 5 versions?
The official php internals documentation says, that the hashtables security (including functions table) and sub-processing is changed only in PHPNG (which means 6.0, never released version, so => php 7.0 & up)

@CatAnonymous
Copy link

Easy Bypass (Hacked)

  • Run Runkit_Sandbox() class on $runkit->eval('…new Runkit_Sandbox;…')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zenovich @alexanderilyin @kran @CatAnonymous