From owner-freebsd-apache@FreeBSD.ORG Tue Jan 4 11:10:21 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EEF91065695 for ; Tue, 4 Jan 2011 11:10:21 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2828FC19 for ; Tue, 4 Jan 2011 11:10:21 +0000 (UTC) Received: from omta19.emeryville.ca.mail.comcast.net ([76.96.30.76]) by qmta08.emeryville.ca.mail.comcast.net with comcast id rNpz1f0011eYJf8A8NxAGY; Tue, 04 Jan 2011 10:57:10 +0000 Received: from koitsu.dyndns.org ([98.248.34.134]) by omta19.emeryville.ca.mail.comcast.net with comcast id rNx91f00D2tehsa01Nx99V; Tue, 04 Jan 2011 10:57:10 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 54DF49B427; Tue, 4 Jan 2011 02:57:09 -0800 (PST) Date: Tue, 4 Jan 2011 02:57:09 -0800 From: Jeremy Chadwick To: freebsd-apache@freebsd.org Message-ID: <20110104105709.GA4002@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Cc: ale@FreeBSD.org Subject: Confirmed infinite loop/wedging bug in PHP on i386 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 11:10:21 -0000 There's some discussion in the "web world" about a known problem with PHP on 32-bit x86 architectures: http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ http://news.ycombinator.com/item?id=2066084 I've confirmed FreeBSD is affected, with PHP built from ports. The issue does not affect amd64. I don't have other architectures to test with, but I imagine only x86 is affected. Testing/reproducing it is simple via CLI: php -r '$d = 2.2250738585072011e-308;' The interpreter will immediately begin chewing up 100% CPU. FreeBSD version does not appear to matter. This issue would affect CLI, CGI, and Apache module versions, and depending on one's code, would be exploitable via $_GET and $_POST variables or similar. That's one thing that makes this incredibly dangerous (classifiable as a DoS). Server administrators should be very concerned; ktrace/truss/etc. will not show anything going on when this happens, only that the process is taking up 100% CPU. For an explanation that makes a bit of sense, see the 2nd URL above, and search for "IA-32". I imagine optimisation levels (-O vs. -O0 vs. -O2) can play a role here as well. The workaround seems to be adding -ffloat-store to CFLAGS during compile-time on 32-bit architectures. I haven't personally tested this, but the explanation seems reasonable. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB |