# suhosin reporting canary mismatch with php-5.2.10



## neildarlow (Jul 12, 2009)

I'm running 7.2-RELENG and apache-2.2.11 and php-5.2.10 (modular) with Suhosin patch and extension enabled.

Since upgrading from php-5.2.9 to 5.2.10 I've been getting a lot of blank pages returned for php page requests. The php error log reports canary efree() mismatch and apache error log reports heap overflow. This didn't happen with php-5.2.9.

I Googled this and found hits reported for Debian, Gentoo and OpenSUSE so it looks like it's not just limited to my FreeBSD system. Has anyone else observed this problem?


----------



## guest2 (Dec 9, 2009)

hi
refreshing topic.

After a portupgrade a have the same error as  neildarlow:

# php-cgi

```
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')
```

system: 7.2-RELEASE FreeBSD 7.2-RELEASE, php5-5.2.11_1, php5-mhash-5.2.11_1 

This error occurs only when mhash.so is uncomment in /usr/local/etc/php/extensions.ini. Rest of shared objects works fine.

truss php-cgi -v output:


```
.........
access("/usr/local/lib/libmhash.so.2",0)         = 0 (0x0)
open("/usr/local/lib/libmhash.so.2",O_RDONLY,05011547066) = 3 (0x3)
fstat(3,{ mode=-rwxr-xr-x ,inode=3561567,size=275972,blksize=4096 }) = 0 (0x0)
read(3,"\^?ELF\^A\^A\^A\t\0\0\0\0\0\0\0"...,4096) = 4096 (0x1000)
mmap(0x0,270336,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_NOCORE,3,0x0) = 686391296 (0x28e98000)
mprotect(0x28ed8000,4096,PROT_READ|PROT_WRITE|PROT_EXEC) = 0 (0x0)
mprotect(0x28ed8000,4096,PROT_READ|PROT_EXEC)    = 0 (0x0)
mmap(0x28ed9000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED,3,0x40000) = 686657536 (0x28ed9000)
close(3)                                         = 0 (0x0)
access("/lib/libthr.so.3",0)                     = 0 (0x0)
open("/lib/libthr.so.3",O_RDONLY,027757744274)   = 3 (0x3)
fstat(3,{ mode=-r--r--r-- ,inode=45,size=76284,blksize=4096 }) = 0 (0x0)
read(3,"\^?ELF\^A\^A\^A\t\0\0\0\0\0\0\0"...,4096) = 4096 (0x1000)
mmap(0x0,86016,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_NOCORE,3,0x0) = 686661632 (0x28eda000)
mprotect(0x28eeb000,4096,PROT_READ|PROT_WRITE|PROT_EXEC) = 0 (0x0)
mprotect(0x28eeb000,4096,PROT_READ|PROT_EXEC)    = 0 (0x0)
mmap(0x28eec000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED,3,0x11000) = 686735360 (0x28eec000)
mmap(0x28eed000,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANON,-1,0x0) = 686739456 (0x28eed000)
close(3)                                         = 0 (0x0)
mmap(0x0,544,PROT_READ|PROT_WRITE,MAP_ANON,-1,0x0) = 686747648 (0x28eef000)
munmap(0x28eef000,544)                           = 0 (0x0)
mmap(0x0,1440,PROT_READ|PROT_WRITE,MAP_ANON,-1,0x0) = 686747648 (0x28eef000)
munmap(0x28eef000,1440)                          = 0 (0x0)
mmap(0x0,4056,PROT_READ|PROT_WRITE,MAP_ANON,-1,0x0) = 686747648 (0x28eef000)
munmap(0x28eef000,4056)                          = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
getpid(0x285ea540,0x28eec8a0,0x1d8,0x1000,0xffffffff,0x28edca44) = 70218 (0x1124a)
__sysctl(0xbfbfc8d0,0x2,0x28eee9d0,0xbfbfc8d8,0x0,0x0) = 0 (0x0)
__sysctl(0xbfbfc864,0x2,0xbfbfc7fc,0xbfbfc86c,0x28eeb45c,0xd) = 0 (0x0)
__sysctl(0xbfbfc7fc,0x3,0x28eedcc8,0xbfbfc8d8,0x0,0x0) = 0 (0x0)
thr_self(0x287af040,0x28eedcc8,0xbfbfc8d8,0x0,0x0,0x0) = 0 (0x0)
mmap(0xbf9ff000,4096,PROT_NONE,MAP_ANON,-1,0x0)  = -1080037376 (0xbf9ff000)
thr_set_name(0x1878f,0x28eeb4a4,0x0,0x1000,0xffffffff,0x0) = 0 (0x0)
rtprio_thread(0x0,0x1878f,0xbfbfc86c,0x28605800,0x328,0x2829e1c8) = 0 (0x0)
sysarch(0xa,0xbfbfc880,0xbfbfc8d0,0x2829e1c8,0x28545089,0x28eecb6c) = 0 (0x0)
sigprocmask(SIG_SETMASK,SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP
|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2,0x0) = 0 (0x0)
sigaction(32,{ 0x28ee45d0 SA_RESTART|SA_SIGINFO ss_t },0x0) = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
sigprocmask(SIG_BLOCK,SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCP
U|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2,0x0) = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
open("/dev/urandom",O_RDONLY,05025427333)        = 3 (0x3)
read(3,"\M->\a\M-J\M-x",4)                       = 4 (0x4)
close(3)                                         = 0 (0x0)
open("/dev/urandom",O_RDONLY,04)                 = 3 (0x3)
read(3,"\^X\M-X\M-m\M^J",4)                      = 4 (0x4)
close(3)                                         = 0 (0x0)
open("/dev/urandom",O_RDONLY,04)                 = 3 (0x3)
read(3,"\M^E&S\M-T",4)                           = 4 (0x4)
close(3)                                         = 0 (0x0)
mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 686747648 (0x28eef000)
mmap(0x28fef000,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 687796224 (0x28fef000)
munmap(0x28eef000,69632)                         = 0 (0x0)
getpid(0xbfbfb84e,0x1040,0x8249780,0x8240de2,0xbfbfa7ea,0x82496f9) = 70218 (0x1124a)
socket(PF_LOCAL,SOCK_DGRAM,0)                    = 3 (0x3)
connect(3,{ AF_UNIX "/dev/log" },106)            = 0 (0x0)
sendto(3,"<9>suhosin[70218]: ALERT - canar"...,128,0x0,NULL,0x0) = 128 (0x80)
close(3)                                         = 0 (0x0)
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')
write(2,"ALERT - canary mismatch on efree"...,109) = 109 (0x6d)
sigprocmask(SIG_BLOCK,SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCP
U|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2,0x0) = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
sigprocmask(SIG_BLOCK,SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCP
U|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2,0x0) = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
process exit, rval = 1
```

when i disable mhash:
#php-cgi -v

```
php-cgi -v
PHP 5.2.11 with Suhosin-Patch 0.9.7 (cgi-fcgi) (built: Dec  9 2009 18:22:40)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
```

Does anybody know how to resolve this problem?

thx 
david


----------



## CyberLeo (Mar 21, 2010)

I have encountered a similar problem using PHP 5.2.12 on 7.2-RELEASE. I tracked it down to a problem with loading libthr.so after suhosin was running. I also found that preloading libthr.so via LD_PRELOAD before PHP had a chance to initialize suhosin eliminated the error.

I have documented my fix here:

http://wiki.cyberleo.net/wiki/KnowledgeBase/FreeBSD/envhack.c


----------



## server (Nov 13, 2010)

http://wiki.cyberleo.net/wiki/KnowledgeBase/FreeBSD/envhack.c
Has made as, but at command input, i recieve 

```
php --version
php: Command not found.
```


```
uname -a
FreeBSD  8.1-STABLE FreeBSD
```
Please help me!


----------

