session_create_id causes SIGSEGV #1158
Comments
iluuu1994
changed the title
|
Ha, that was the same behaviour I was seeing but I didn't look into it any further yet due to time restrictions! It does indeed happen randomly.. I've been running 1.17 on 7.2 as well and it doesn't segfault there.. It started for me when I upgraded to 7.3.. @iluuu1994 have you reported this at PHP already? @thijskh this was the unexpected crashes I have mentioned on the OC-mailinglist when we we're discussing PHP73.. |
|
I'm honestly relieved to hear that we're not the only ones with this issue. Do you think this is critical enough to switch to the old session id generation until this issue is fixed?
Not yet. I was trying to get a core dump to get some debugging information but didn't succeed yet. I'll try tomorrow and I'll create a bug report then. Thank you @tvdijen for your response! |
|
I'd like to have a look at the core dump and see how they respond to the bug-report before we start jumping hoops, but it's definitely an option to disable it until a solution is in place. |
|
@tvdijen Fair enough! I can send a PR for the option tomorrow. |
|
Thanks for the offer, but I think I prefer a |
|
Great! Thanks for your help! |
|
Can either of you confirm that the patch by @mrtronje gets rid of the SIGSEGV's? |
|
@tvdijen Yes, we have been using it in production for a few days and have no more SIGSEVs. |
|
@iluuu1994 Did you manage to get some debug logging and to report a bug @php? |
|
I have mixed feelings about this. On the one hand, it's really bad that we're getting SIGSEGVs with PHP 7.3 by simply using the software. On the other hand, that's clearly a bug in PHP that should be solved. The issue I see with the one-liner is that it would downgrade session ID generation for everyone using PHP 7.3, no matter if the bug is fixed or not. So if PHP 7.3.8 is released tomorrow fixing this issue, people running SSP 1.17.3 would still use non-collision-resistant session IDs unless we release SSP 1.17.4 reverting the one-liner and they install it. I've been looking for a bug report, but didn't see anything. We should definitely report this to PHP and get it fixed there. Whether we should apply the one-liner as a temporary workaround, I honestly don't know... @thijskh do you have any comments on this? |
|
@tvdijen Unfortunately not. We haven't had a lot of time lately to look into it. I'll have to do it in my free time.
Another simple version check will do it once it's fixed. A slightly less optimal session id generation is preferable a crashing application. |
|
I agree with @jaimeperez that I'd be uneasy to disable this for all future PHP versions. We'd definitely need some way to come back to this issue later to see if it's still relevant. Maybe we can apply the workaround only in 1.17.3 and keep this issue open for 1.18. And indeed obviously file an issue with PHP itself. |
|
Why not just: if (
function_exists('session_create_id')
&& (
version_compare(phpversion(), '7.3', '<')
|| version_compare(phpversion(), '7.3.future_patched_version', '>=')
)
) {After a reasonable amount of time this could be removed. |
|
That is useful in the future but not something we can do now since we don't know the value of future_patched_version yet. |
|
I agree that having PHP crash is much, much worse than anything else. What about applying this one-liner fix, releasing 1.17.3, then reverting the fix? We keep the issue open, and before releasing next version, we check if there is a fix in PHP already. If not, apply the same patch. If it is resolved, then apply your suggested check to avoid only affected versions, and then commit that to master as well. Does that sound reasonable? |
|
Sounds good 🙂 |
|
Let's go for it |
|
I have applied the temporary workaround on the 1.17 branch now. |
|
Thanks guys! |
|
Hey all, We've encountered this SIGSEGV on our servers too, running on PHP 7.3 as well. However, we only encountered this with SSP 1.17.2, downgrading to 1.17.1 fixed this issue for us. I don't see any changes that directly relate to the session generation when looking at the commit comparisons between these versions. It could be that I'm overlooking something, I don't really know this codebase of course. Does anyone know why this downgrade solved it for us? (Just to be sure that there isn't a different issue at play here and I can upgrade safely) |
|
The only significant change between those versions is that we've started using Webmozart-assertions on the saml2-library.. What happens if you run v1.17.2 and downgrade |
|
We have 1.17.3 in place now with the fix for this 😄 |
This didn't fix the errors sadly. However, 1.17.3 does seem to fix it for now. That still doesn't explain why 1.17.1 seems to work for us, but I don't think it's worth it to keep digging for an answer. |
|
Hi guys, The issue is not related exclusively to PHP 7.3, I'm getting the SIGSEGV error en 7.2. I changed the comparision of the workaround from 7.3 to 7.2 and now its working. It was previously failing with both PHP 7.2.19 and 7.2.20. |
|
We never tried this on 7.2. We were stuck on PHP 7.0 and thus also on an older version of SimpleSaml that didn't use If anybody can get a stack trace please post it in the comments of the bug report. |
|
Hi guys, I'm considering introducing a regression deliberately. We are on the verge of release 1.18 (at least the first release candidate), and I would like to get rid of this temporary fix if possible. I've been trying to reproduce this locally in the command line with the two versions of PHP that are reportedly causing crashes (7.2 and 7.3). Essentially, I'm creating millions of session IDs with @iluuu1994, @txigreman, @tymees would you be willing to give 1.18-rc1 a try and tell us if you still get those crashes or not? |
I've tried that back then too but couldn't reproduce it this way. I highly doubt the issue is gone since there was no activity in the PHP bug report... |
|
I just deployed current |
|
Sorry, but I can not test it because it only happens in the production server :/ |
|
I've deployed the latest master on our acceptation server, so far no issues... I'll do some testing next week when I come back to work |
|
I found out how to create coredumps and it's actually quite easy: I have enabled it on my 7.2 + 7.3 machine to add to the chance to catch one.. It would help if you guys could all do this, so we can get this fixed by PHP ASAP.. |
|
@tvdijen Yeah those are the same instructions we've followed but for some reason the core dump file was never generated. Hopefully you'll have more luck. |
The issue seems to still be in place.
The issue seems to still be in place.
|
I haven't been able to generate core dumps with the provided instruction either.. @tymees have you had any problems with more recent versions of SSP? |
|
Not that I know of no, error logs look clean too! |
|
Given the feedback above I think it’s ok to close this now. |
|
1.18 has been using the temporary patch we created as well, so the fact that we haven't had any more people observing segfaults doesn't mean the issue is gone, unfortunately 😞 |
|
My bad, Tim just corrected me that all the feedback we have now (confirming the issue is gone) was based on master, which didn't have the workaround in place, so I'm closing it back. Sorry for the noise! |
Describe the bug
Since we have updated to SimpleSaml 1.17 we get daily SIGSEGV of PHP-FPM due to the new call to
session_create_id():simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php
Line 152 in f5989a7
/var/log/kern.log
/var/log/php7.3-fpm.log
This is the PHP version we use:
To Reproduce
Unfortunately, we could not recognize any patterns on how to reproduce the issue. It seems to happen randomly.
Obviously this is not your issue to solve but I'm posting this here for two reason:
bin2hex(openssl_random_pseudo_bytes(16))instead?Thank you!
The text was updated successfully, but these errors were encountered: