Hello,ZDSP is a module to allow the Zend engine to know when it will go too much far within the stack. In fact this module to allow to prevent a possible segfault from the script.
If you type (php 5.1) :
php -r 'function foo() { foo(); } foo();'
You will get a segfault because foo() will go to read a too far stack
address and the kernel will send a bus error known under SIGSEGV.
Is it dangerous ? Not really, In fact it should be if web-hosters with a 'bad-client' who he will plays with the above example. The problem could be more serious if the SAPI filter use in threaded environnement what would cause the server halt.
The treatment the SIGSEGV signal is a nightmare there is a method to prevent signal SIGSEGV by system call sigaltstack() which makes it possible to build another stack.
However this system call is not portable and very dangerous. "Executing codes after a SIGSEGV could be very dangerous".ZDSP makes it possible to limit the damage and it's portable. In fact the address of lower stack known is recorded (sapi_startup()) and at each execution of function a control and carried out on the difference between the current starting stack and that.
One considerer that the system will not consume more than 30% of the stack at the time of the sapi_startup() and that PHP even will not consume more than 20% of stack. It remains 50% which would be the maximun load of Zend recursive execution can take. It is simple, if one jump these 50%, ZDSP stop the script and create an error.
CURRENT PATCHED FUNCTION ZEND_API void execute(zend_op_array *op_array TSRMLS_DC)static int php_array_walk(HashTable *target_hash, zval **userdata, int recursive TSRMLS_DC)
You see function what need a prevention ? contact me [EMAIL PROTECTED] INSTALLATION http://badcode.be/~descript/PHP/zend_dsp/ cd php-src cp /PATH/zend_dsp.c Zend/ cp /PATH/zend_dsp.h Zend/ cd .. cat PHP_5_1.zend-dsp.patch | patch -p0 cd php-src ./buildconf ./configure --enable-zend-dsp make ./sapi/cli/php -r 'function foo() { foo(); } foo();' enjoy Michael Vergoz----- Original Message ----- From: "Jared Williams" <[EMAIL PROTECTED]> To: "'Michael Vergoz'" <[EMAIL PROTECTED]>; "'Wez Furlong'" <[EMAIL PROTECTED]>; "'Ilia Alshanetsky'" <[EMAIL PROTECTED]>
Cc: "'Nuno Lopes'" <[EMAIL PROTECTED]>; "'PHPdev'" <internals@lists.php.net> Sent: Friday, February 24, 2006 4:55 PM Subject: RE: [PHP-DEV] recover from a segfault
The problem is that setrlimit() need privilege to expand the process stack. I don't think it's a good idea to use this system call to fix the too-high-function-stack bug. There is no really way to fix correctly this bug. However I think we should re-examined the execution flow of PECL functions.How about core functions too.. Using array_walk_recursive to undo magic_quotes creates a stack smashing exploit.Jared -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
