Segfaults with PHP 7.4.27 fpm and mysqlnd driver

[niclashoyer]

Description

We started to get a lot of segfaults recently using PHP 7.4.27 FPM. Every segfault is related to the mysqlnd extension and it seems that something goes wrong while executing a PDO statement.

I could provide the full backtrace if needed. I just need some secure place to upload it.

To Reproduce
I tried to reproduce the error in a minimal example using similar queries, but that did not trigger the problem.

Expected behavior
A call to PDOStatement->execute should not run into a segfault.

Package(s) (please complete the following information):

php7.4-fpm:
  Installed: 7.4.27-1+ubuntu20.04.1+deb.sury.org+1
  Candidate: 7.4.27-1+ubuntu20.04.1+deb.sury.org+1
  Version table:
 *** 7.4.27-1+ubuntu20.04.1+deb.sury.org+1 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
     7.4.3-4ubuntu2.8 500
        500 http://de.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
        500 http://mirror.hetzner.de/ubuntu/packages focal-updates/universe amd64 Packages
     7.4.3-4ubuntu2.7 500
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
        500 http://mirror.hetzner.de/ubuntu/packages focal-security/universe amd64 Packages
     7.4.3-4ubuntu1 500
        500 http://de.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        500 http://mirror.hetzner.de/ubuntu/packages focal/universe amd64 Packages

Additional context
Backtrace using gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f3157ed21bb in ?? () from /usr/lib/php/20190902/mysqlnd.so
(gdb) bt
#0  0x00007f3157ed21bb in ?? () from /usr/lib/php/20190902/mysqlnd.so
#1  0x00007f3157ed3708 in ?? () from /usr/lib/php/20190902/mysqlnd.so
#2  0x00007f3157ede815 in ?? () from /usr/lib/php/20190902/mysqlnd.so
#3  0x00007f3157edaf6d in ?? () from /usr/lib/php/20190902/mysqlnd.so
#4  0x00007f3157eddd8d in ?? () from /usr/lib/php/20190902/mysqlnd.so
#5  0x00007f3157eccaaf in ?? () from /usr/lib/php/20190902/mysqlnd.so
#6  0x00007f3154b20bc6 in ?? () from /usr/lib/php/20190902/pdo_mysql.so
#7  0x00007f3157eab191 in ?? () from /usr/lib/php/20190902/pdo.so
#8  0x000055775c2aafe5 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at ./Zend/zend_vm_execute.h:1730
#9  execute_ex (ex=0x7ffcfb317090) at ./Zend/zend_vm_execute.h:53525
#10 0x000055775c213f6f in zend_call_function (fci=fci@entry=0x7ffcfb317b80, fci_cache=0x7f31452277c8, fci_cache@entry=0x7ffcfb317b60)
    at ./Zend/zend_execute_API.c:820
#11 0x000055775c23ee5c in zend_call_method (object=0x7f30e56e3430, obj_ce=<optimized out>, fn_proxy=0x7f3142c29cd0, 
    function_name=0x55775c2e5bdd "getiterator", function_name_len=<optimized out>, retval_ptr=0x7ffcfb317c60, param_count=0, arg1=0x0, arg2=0x0)
    at ./Zend/zend_interfaces.c:103
#12 0x000055775c23f623 in zend_user_it_new_iterator (ce=ce@entry=0x7f3142c21040, object=object@entry=0x7f30e56e3430, retval=retval@entry=0x7ffcfb317c60)
    at ./Zend/zend_interfaces.c:127

PHP Version

PHP 7.4.27

Operating System

Ubuntu 20.04

[derickr]

On 3 January 2022 15:36:52 GMT, Niclas Hoyer ***@***.***> wrote: ### Description We started to get a lot of segfaults recently using PHP 7.4.27 FPM. Every segfault is related to the `mysqlnd` extension and it seems that something goes wrong while executing a PDO statement. I could provide the full backtrace if needed. I just need some secure place to upload it. **To Reproduce** I tried to reproduce the error in a minimal example using similar queries, but that did not trigger the problem. **Expected behavior** A call to `PDOStatement->execute` should not run into a segfault. **Package(s) (please complete the following information):** ``` php7.4-fpm: Installed: 7.4.27-1+ubuntu20.04.1+deb.sury.org+1 Candidate: 7.4.27-1+ubuntu20.04.1+deb.sury.org+1 Version table: *** 7.4.27-1+ubuntu20.04.1+deb.sury.org+1 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status 7.4.3-4ubuntu2.8 500 500 http://de.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages 500 http://mirror.hetzner.de/ubuntu/packages focal-updates/universe amd64 Packages 7.4.3-4ubuntu2.7 500 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages 500 http://mirror.hetzner.de/ubuntu/packages focal-security/universe amd64 Packages 7.4.3-4ubuntu1 500 500 http://de.archive.ubuntu.com/ubuntu focal/universe amd64 Packages 500 http://mirror.hetzner.de/ubuntu/packages focal/universe amd64 Packages ``` **Additional context** Backtrace using `gdb`: ``` Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f3157ed21bb in ?? () from /usr/lib/php/20190902/mysqlnd.so (gdb) bt #0 0x00007f3157ed21bb in ?? () from /usr/lib/php/20190902/mysqlnd.so #1 0x00007f3157ed3708 in ?? () from /usr/lib/php/20190902/mysqlnd.so #2 0x00007f3157ede815 in ?? () from /usr/lib/php/20190902/mysqlnd.so #3 0x00007f3157edaf6d in ?? () from /usr/lib/php/20190902/mysqlnd.so #4 0x00007f3157eddd8d in ?? () from /usr/lib/php/20190902/mysqlnd.so #5 0x00007f3157eccaaf in ?? () from /usr/lib/php/20190902/mysqlnd.so #6 0x00007f3154b20bc6 in ?? () from /usr/lib/php/20190902/pdo_mysql.so #7 0x00007f3157eab191 in ?? () from /usr/lib/php/20190902/pdo.so #8 0x000055775c2aafe5 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at ./Zend/zend_vm_execute.h:1730 #9 execute_ex (ex=0x7ffcfb317090) at ./Zend/zend_vm_execute.h:53525 #10 0x000055775c213f6f in zend_call_function ***@***.***=0x7ffcfb317b80, fci_cache=0x7f31452277c8, ***@***.***=0x7ffcfb317b60) at ./Zend/zend_execute_API.c:820 #11 0x000055775c23ee5c in zend_call_method (object=0x7f30e56e3430, obj_ce=<optimized out>, fn_proxy=0x7f3142c29cd0, function_name=0x55775c2e5bdd "getiterator", function_name_len=<optimized out>, retval_ptr=0x7ffcfb317c60, param_count=0, arg1=0x0, arg2=0x0) at ./Zend/zend_interfaces.c:103 #12 0x000055775c23f623 in zend_user_it_new_iterator ***@***.***=0x7f3142c21040, ***@***.***=0x7f30e56e3430, ***@***.***=0x7ffcfb317c60) at ./Zend/zend_interfaces.c:127 ``` ### PHP Version PHP 7.4.27 ### Operating System Ubuntu 20.04

Is this a problem with 7.4.26 as well?

[niclashoyer]

@derickr I can't say this for sure, as we recently upgraded to 7.4.27 after we got segfaults, but I don't have any dumps for 7.4.26

[kamil-tekiela]

I could provide the full backtrace if needed. I just need some secure place to upload it.

Do you think this could be a security issue? If not, then you can provide more details in this GH issue.

It would be useful to have a script to reproduce the problem.

[cmb69]

Note that PHP 7.4 is no longer actively supported, so won't receive bug fixes (opposed to security fixes). Since this doesn't look like a security issue, could you please check whether this affects any of the actively supported versions?

[niclashoyer]

@cmb69 I see, we will try to reproduce on 8.x

[niclashoyer]

I'll close this for now, it might take some time until we switch to 8.x.