"Segmentation fault" on login in version 2.0.26

[22h]

Version: 2.0.26
Message: "Segmentation fault"
Commit with problem: 229f6af

Currently I get a "segmentation fault" back when trying to log in over sftp. This is triggered by an endless loop in https://github.com/phpseclib/phpseclib/blob/2.0.26/phpseclib/Net/SFTP.php#L415

Does anyone else have the problem or can reproduce it?

[terrafrost]

The unit tests don't reproduce it. To verify that that method is being called I added an exit('zzz') to that method in a new branch:

terrafrost@0c452a6

You can see that it's being called if you click on the unit test results for any of the 7.x versions:

https://travis-ci.org/github/terrafrost/phpseclib/builds/670069628

(the 5.x versions don't use GNU Parallels in the unit tests; not sure why it's showing up with parallels but not without...)

Doesn't really make a ton of sense to me either tbh. SSH2::login doesn't call self::login or $this->login or anything. If they did I could see how an infinite loop could exist but they don't. In fact, I did Ctrl + F in SSH2.php for ->login and ::login and got 0 results back in the actual code (there were some examples in the comments that did have ->login in them).

In fact, for good measure, I created a second branch to run locally:

https://github.com/terrafrost/phpseclib/tree/22h-2

I then ran this script:

<?php
require __DIR__ . '/vendor/autoload.php';

use phpseclib\Net\SFTP;

$ssh = new SFTP('vagrant');
$ssh->login('vagrant', 'vagrant');

print_r($ssh->nlist());

Here's the output I got (redacting the nlist output):

SFTP::login called
SSH2::login called
Array
(
)

So clearly I'm not able to reproduce the issue locally, either, despite calling SFTP::login method that you're suggesting should trigger the error (and despite SFTP::login calling SSH2::login)...

[terrafrost]

I mean, I guess you could post your phpinfo but tbh I don't really see how that'd help. But hey - it couldn't hurt, either!

On Linux coredump's produce a text file on the file system. Do segfault's? If so maybe you could post that? idk that I've ever tried to dig into a hypothetical segfault file but I could try idk.

It would be interesting to know how https://github.com/terrafrost/phpseclib/tree/22h-2 behaves on your system. Based on what you're saying it should loop endlessly, toggling between SFTP::login called and SSH2::login called. If it did that then I could add additional debug code in an attempt to figure out how. eg. maybe keep track of the recursion depth via a static class variable and then exit out when a certain depth is hit. And include line numbers from the previous entry in the stack trace during each call idk...

[Hooddominator]

Same Issue here, SegFault on SFTP-Login

Mar 26 11:42:02 xxxxx.yyy kernel: [8476186.632029] php[16210]: segfault at 7ffed30d3fd8 ip 00005619245db183 sp 00007ffed30d3fa0 error 6 in php7.3[56192433d000+3ee000]
Mar 26 11:42:02 xxxxx.yyy kernel: [8476186.632073] php[16206]: segfault at 7ffc39790ff8 ip 00005634b06d17b0 sp 00007ffc39791000 error 6 in php7.3[5634b03e9000+3ee000]
Mar 26 11:42:02 xxxxx.yyy kernel: [8476186.632687] php[16208]: segfault at 7fffcdf48ff8 ip 00005560fc330ea2 sp 00007fffcdf49000 error 6 in php7.3[5560fc08b000+3ee000]

...followed by tight endless loop until logfiles reach space-limit...

PHP Notice:  Undefined offset: 256 in /home/files/latest/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 4048
Notice: Undefined offset: 256 in /home/files/latest/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 4048
PHP Notice:  Undefined offset: 256 in /home/files/latest/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 4056
Notice: Undefined offset: 256 in /home/files/latest/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 4056

[terrafrost]

@Hooddominator - as I've already noted I cannot reproduce. It's not reproducable on Travis CI and it's not reproducable locally.

Quoting my last post:

It would be interesting to know how https://github.com/terrafrost/phpseclib/tree/22h-2 behaves on your system. Based on what you're saying it should loop endlessly, toggling between SFTP::login called and SSH2::login called. If it did that then I could add additional debug code in an attempt to figure out how. eg. maybe keep track of the recursion depth via a static class variable and then exit out when a certain depth is hit. And include line numbers from the previous entry in the stack trace during each call idk...

As for your "PHP Notice: Undefined offset: 256" errors... see #1271. Quoting the most relevant portion of that post:

Upon sticking a strace on the relevant sshd process, revealed that I had a problem with systemd-logind needing restarting after a certain other service has been restarted: https://serverfault.com/questions/707377/slow-ssh-login-activation-of-org-freedesktop-login1-timed-out.

If you are unable to run https://github.com/terrafrost/phpseclib/tree/22h-2 as I requested then maybe you can give me SSH access to a server that reproduces the problem. Maybe I'd be able to reproduce the issue by SFTP'ing into a server from my own local machine using phpseclib. Or maybe the problem is with some weird custom PHP install and the only way to reproduce the problem is to both run phpseclib from a server that reproduces the problem and connect to an appropriate SFTP server.

[22h]

thanks for the feedback, i will try to reproduce the whole tomorrow in isolation.

[22h]

I found the problem, we extended the SFTP class in our application. In this case you got an endless loop on the login method call.

Here a example:

<?php

use phpseclib\Crypt\RSA;
use phpseclib\Net\SFTP;

require_once 'vendor/autoload.php';

$host = '';
$port = 22;
$username = '';
$private_key = '';
$private_key_password = '';

class MySFTP extends SFTP
{
    /**
     * @param     $host
     * @param int $port
     * @param int $timeout
     */
    public function __construct($host, $port = 22, $timeout = 10)
    {
        parent::__construct($host, $port, $timeout);
    }
}

$sftp = new MySFTP($host, $port);

$rsa = new RSA();
$rsa->setPassword($private_key_password);
$rsa->loadKey($private_key);

$sftp->login($username, $rsa);

var_dump($sftp->_list('.'));

I think there are 2 options now:

1. we set SFTP class final, but i think its a break in this version.
2. we find a way to make this example runnable

thx for your time

[terrafrost]

Nice job figuring that out! I'm now able to reproduce the problem!

I need to get ready for work but I'll take a look this evening / weekend.

Thanks!!

[22h]

No problem and thanks for your time

[terrafrost]

c301ddf should fix this.

The 2.0 branch, owing to fact that the minimum version of PHP that it supports is 5.3, implements this more elegantly:

9c0ad2f

The 3.0 branch implements it even more nicely and no changes were necessary for the 3.0 branch.

I'll try to do a release of the 2.0 branch this weekend!

[terrafrost]

A new 2.0 branch has been released!