runkit icon indicating copy to clipboard operation
runkit copied to clipboard

Published 20 hours ago verified publisher icon zenovich

If Runkit only run in CLI mode ?

Open kran opened this issue 8 years ago • 10 comments

I just tested it with php-5.6 ./bin/php path/to/test.php works as expected, but with php-fpm , it kills fpm process:

[24-Mar-2016 18:15:46] WARNING: [pool www] child 23016 exited on signal 11 (SIGSEGV) after 185.581668 seconds from start

What can I do now ?

kran avatar Mar 24 '16 10:03 kran

I notice the document says:

Sandboxing is ONLY AVAILABLE in PHP 5.1

so sad..

kran avatar Mar 24 '16 11:03 kran

But .. but this page show it at least supports 5.4.9 :http://news.php.net/php.bugs/196299 I find that new Runkit_Sandbox([]) cause the segment fault. I am trying to get a coredump file .

kran avatar Mar 24 '16 11:03 kran

1804 line in runkit_sandbox.c php_request_shutdown crash the fcgi process? fcgi_finish_request(req,force_close) req param is 0x0

backtrace:

#0  fcgi_finish_request (req=0x0, force_close=force_close@entry=0) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fastcgi.c:1073
#1  0x00000000007c9bfe in sapi_cgi_deactivate (tsrm_ls=<optimized out>) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fpm_main.c:851
#2  0x0000000000696865 in sapi_deactivate (tsrm_ls=tsrm_ls@entry=0x271b5f0) at /usr/local/src/php-5.5.33/main/SAPI.c:536
#3  0x000000000068d06a in php_request_shutdown (dummy=dummy@entry=0x271b5f0) at /usr/local/src/php-5.5.33/main/main.c:1822
#4  0x00007f44b6fd1863 in php_runkit_sandbox_dtor (objval=0x7f44bfaa23b8, tsrm_ls=<optimized out>) at /usr/local/src/runkit/runkit_sandbox.c:1804
#5  0x0000000000726dc8 in zend_objects_store_del_ref_by_handle_ex (handle=1, handlers=<optimized out>, tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_objects_API.c:226
#6  0x0000000000726e1e in zend_objects_store_del_ref (zobject=0x7f44bfaa21e8, tsrm_ls=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_objects_API.c:178
#7  0x00000000006e96d0 in _zval_dtor (zvalue=0x7f44bfaa21e8) at /usr/local/src/php-5.5.33/Zend/zend_variables.h:35
#8  i_zval_ptr_dtor (zval_ptr=0x7f44bfaa21e8) at /usr/local/src/php-5.5.33/Zend/zend_execute.h:81
#9  _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/local/src/php-5.5.33/Zend/zend_execute_API.c:423
#10 0x0000000000708355 in zend_hash_apply_deleter (ht=ht@entry=0x24fe8d8, p=p@entry=0x7f44bfaa2468) at /usr/local/src/php-5.5.33/Zend/zend_hash.c:650
#11 0x0000000000709f5b in zend_hash_reverse_apply (ht=0x24fe8d8, apply_func=apply_func@entry=0x6e9650 <zval_call_destructor>, tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_hash.c:804
#12 0x00000000006e9c8e in shutdown_destructors (tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend_execute_API.c:214
#13 0x00000000006fadf7 in zend_call_destructors (tsrm_ls=tsrm_ls@entry=0x24fb090) at /usr/local/src/php-5.5.33/Zend/zend.c:930
#14 0x000000000068cfe2 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/local/src/php-5.5.33/main/main.c:1754
#15 0x0000000000424685 in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/php-5.5.33/sapi/fpm/fpm/fpm_main.c:1981

kran avatar Mar 24 '16 14:03 kran

Try to change the expression 'req->fd >= 0' into 'req && req->fd >= 0' here https://github.com/php/php-src/blob/PHP-5.5.33/sapi/fpm/fpm/fastcgi.c#L1073 or here https://github.com/php/php-src/blob/PHP-5.6.20/sapi/fpm/fpm/fastcgi.c#L1073

zenovich avatar Mar 25 '16 03:03 zenovich

@zenovich Thanks, It works fine now . Is this the debug step or the final solution ?

kran avatar Mar 25 '16 04:03 kran

I hope it is a final solution. I suggest reporting this bug to php-fpm's authors.

zenovich avatar Mar 25 '16 09:03 zenovich

@anight @tony2001 maybe you're interested in this.

alexanderilyin avatar May 07 '16 01:05 alexanderilyin

Try to change the expression 'req->fd >= 0' into 'req && req->fd >= 0' here https://github.com/php/php-src/blob/PHP-5.5.33/sapi/fpm/fpm/fastcgi.c#L1073 or here https://github.com/php/php-src/blob/PHP-5.6.20/sapi/fpm/fpm/fastcgi.c#L1073

@zenovich I found this bug in a few different SAPIs, using php binaries with WinAPI (procedure calls) is also causing this. For example: php4delphi (if you wish to test, you can find my fork, which is 5.6-compatible)

ghost avatar May 15 '19 17:05 ghost

I notice the document says:

Sandboxing is ONLY AVAILABLE in PHP 5.1

so sad..

With php 5.3 and 5.4 it works pretty well, maybe sandboxing is for all php 5 versions? The official php internals documentation says, that the hashtables security (including functions table) and sub-processing is changed only in PHPNG (which means 6.0, never released version, so => php 7.0 & up)

ghost avatar May 15 '19 17:05 ghost

Easy Bypass (Hacked)

  • Run Runkit_Sandbox() class on $runkit->eval('…new Runkit_Sandbox;…')

CatAnonymous avatar May 17 '19 19:05 CatAnonymous