by ·0评论

# 在nginx和php-fpm下一访问nginx就瞬间502的问题 php-fpmsignal 7 (SIGBUS)

故障现象

使用TinkPHP3.2.x框架,页面偶尔会出现一访问nginx就报502 bad gateway,并不是等一段时间后nginx才报502,打开页面的一瞬间就502了。

php-fpm日志

 

[28-Sep-2015 23:25:07] WARNING: [pool www] child 2965 exited on signal 7 (SIGBUS) after 319.686109 seconds from start

[28-Sep-2015 23:25:07] NOTICE: [pool www] child 3223 started

[28-Sep-2015 23:25:49] WARNING: [pool www] child 1251 exited on signal 7 (SIGBUS) after 1005.893950 seconds from start

[28-Sep-2015 23:25:49] NOTICE: [pool www] child 3242 started

[28-Sep-2015 23:26:46] WARNING: [pool www] child 1467 exited on signal 7 (SIGBUS) after 1057.791921 seconds from start

[28-Sep-2015 23:26:46] NOTICE: [pool www] child 3284 started

[28-Sep-2015 23:30:33] WARNING: [pool www] child 1178 exited on signal 7 (SIGBUS) after 1289.872260 seconds from start

[28-Sep-2015 23:30:33] NOTICE: [pool www] child 3450 started

[28-Sep-2015 23:30:35] WARNING: [pool www] child 1115 exited on signal 7 (SIGBUS) after 1292.014337 seconds from start

[28-Sep-2015 23:30:35] NOTICE: [pool www] child 3451 started

[28-Sep-2015 23:30:35] WARNING: [pool www] child 1487 exited on signal 7 (SIGBUS) after 1285.395573 seconds from start

[28-Sep-2015 23:30:35] NOTICE: [pool www] child 3452 started

[28-Sep-2015 23:30:36] WARNING: [pool www] child 1958 exited on signal 7 (SIGBUS) after 1181.206336 seconds from start

[28-Sep-2015 23:30:36] NOTICE: [pool www] child 3453 started

可以看到有大量的 php-fpm进程收到 signal 7 退出了, 由于fastcgi php-fpm 瞬间退出了,nginx就瞬间502了

对php-fpm进行调试

既然看不出来头绪就需要进行调试了,这里需要把php-fpm退出的时候导出coredump

 php-fpm coredump方法

核心文件,也称核心转储,是操作系统在进程收到某些信号而终止运行时,将此时进程地址空间的内容以及有关进程状态的其他信息写出的一个磁盘文件。这种信息往往用于调试。 核心文件一词来源于磁芯内存。

php需要打开debug参数,如果编译的时候没有打开,需要重新编译,以下是我这里的

--enable-debug
--prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir=/usr/local/freetype --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --with-gettext --disable-fileinfo --enable-debug

修改dump出来的路径

echo "/tmp/coredump/core.%e.%p.%h.%t" > /proc/sys/kernel/core_pattern

允许程序崩溃的时候dump

ulimit -c unlimited

关闭dump功能

ulimit -c 0

用gdb进行调试

gdb /usr/local/php/sbin/php-fpm core.php-fpm.4555.web1.iamle.com.1443458079

GNU gdb (GDB) Red Hat Enterprise Linux (7.2-83.el6)

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /usr/local/php/sbin/php-fpm...done.

[New Thread 4555]

Missing separate debuginfo for /usr/lib/libmcrypt.so.4

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/c5/699ec0c783a6055a7f983f9eb64146371eb2e6

Missing separate debuginfo for /usr/lib/libpng12.so.0

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/9e/65badd636c1f2e81682a8c498af098b5bbd063

Missing separate debuginfo for /usr/lib/libjpeg.so.62

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/05/6b2c6a8cb0b42dda3d57a1b5d3670ab99c83bd

Missing separate debuginfo for /usr/local/lib/libiconv.so.2

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/df/7400febafa74aeef81e48b638c9fde24cb2beb

Missing separate debuginfo for /usr/local/php/lib/php/extensions/no-debug-non-zts-20100525/redis.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/64/1aa8440943921a4d553e380282d15828f18377

Missing separate debuginfo for

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/fa/36da47e774d9bc5a739905887a5d25790090f7

Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/libcrypt.so.1

Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/libz.so.1

Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/librt.so.1

Reading symbols from /usr/lib/libmcrypt.so.4...done.

Loaded symbols for /usr/lib/libmcrypt.so.4

Reading symbols from /usr/lib/libpng12.so.0...Missing separate debuginfo for /usr/lib/libpng12.so.0

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/9e/65badd636c1f2e81682a8c498af098b5bbd063.debug

(no debugging symbols found)...done.

Loaded symbols for /usr/lib/libpng12.so.0

Reading symbols from /usr/lib/libjpeg.so.62...Missing separate debuginfo for /usr/lib/libjpeg.so.62

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/05/6b2c6a8cb0b42dda3d57a1b5d3670ab99c83bd.debug

(no debugging symbols found)...done.

Loaded symbols for /usr/lib/libjpeg.so.62

Reading symbols from /usr/lib64/libcurl.so.4...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libcurl.so.4

Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done.

Loaded symbols for /lib64/libm.so.6

Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libdl.so.2

Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/libnsl.so.1

Reading symbols from /usr/lib64/libxml2.so.2...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libxml2.so.2

Reading symbols from /usr/lib64/libssl.so.10...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libssl.so.10

Reading symbols from /usr/lib64/libcrypto.so.10...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libcrypto.so.10

Reading symbols from /usr/lib64/libfreetype.so.6...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libfreetype.so.6

Reading symbols from /usr/local/lib/libiconv.so.2...done.

Loaded symbols for /usr/local/lib/libiconv.so.2

Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.

Loaded symbols for /lib64/libc.so.6

Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/ld-linux-x86-64.so.2

Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libresolv.so.2

Reading symbols from /usr/lib64/libfreebl3.so...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libfreebl3.so

Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.

[Thread debugging using libthread_db enabled]

Loaded symbols for /lib64/libpthread.so.0

Reading symbols from /lib64/libidn.so.11...(no debugging symbols found)...done.

Loaded symbols for /lib64/libidn.so.11

Reading symbols from /lib64/libldap-2.4.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libldap-2.4.so.2

Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libgssapi_krb5.so.2

Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done.

Loaded symbols for /lib64/libkrb5.so.3

Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...done.

Loaded symbols for /lib64/libk5crypto.so.3

Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libcom_err.so.2

Reading symbols from /usr/lib64/libssl3.so...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libssl3.so

Reading symbols from /usr/lib64/libsmime3.so...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libsmime3.so

Reading symbols from /usr/lib64/libnss3.so...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libnss3.so

Reading symbols from /usr/lib64/libnssutil3.so...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libnssutil3.so

Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done.

Loaded symbols for /lib64/libplds4.so

Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done.

Loaded symbols for /lib64/libplc4.so

Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done.

Loaded symbols for /lib64/libnspr4.so

Reading symbols from /usr/lib64/libssh2.so.1...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libssh2.so.1

Reading symbols from /lib64/liblber-2.4.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/liblber-2.4.so.2

Reading symbols from /usr/lib64/libsasl2.so.2...(no debugging symbols found)...done.

Loaded symbols for /usr/lib64/libsasl2.so.2

Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found)...done.

Loaded symbols for /lib64/libkrb5support.so.0

Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/libkeyutils.so.1

Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done.

Loaded symbols for /lib64/libselinux.so.1

Reading symbols from /usr/local/php/lib/php/extensions/no-debug-non-zts-20100525/redis.so...done.

Loaded symbols for /usr/local/php/lib/php/extensions/no-debug-non-zts-20100525/redis.so

Reading symbols from /usr/local/php/lib/php/extensions/no-debug-non-zts-20100525/networkbench.so...done.

Loaded symbols for /usr/local/php/lib/php/extensions/no-debug-non-zts-20100525/networkbench.so

Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done.

Loaded symbols for /lib64/libnss_files.so.2

Core was generated by `php-fpm: pool www                                                             '.

Program terminated with signal 7, Bus error.

#0  lex_scan (zendlval=0x7fff8083fae8) at Zend/zend_language_scanner.c:2265

2265 switch (yych) {

Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-15.el6.x86_64 freetype-2.3.11-14.el6_3.1.x86_64 glibc-2.12-1.149.el6_6.5.x86_64 keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-33.el6.x86_64 libcom_err-1.41.12-21.el6.x86_64 libcurl-7.19.7-40.el6_6.1.x86_64 libidn-1.18-2.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 libssh2-1.4.2-1.el6.x86_64 libxml2-2.7.6-17.el6_6.1.x86_64 nspr-4.10.6-1.el6_5.x86_64 nss-3.16.1-14.el6.x86_64 nss-softokn-freebl-3.14.3-17.el6.x86_64 nss-util-3.16.1-3.el6.x86_64 openldap-2.4.39-8.el6.x86_64 openssl-1.0.1e-30.el6_6.4.x86_64 zlib-1.2.3-29.el6.x86_64

(gdb) bt

#0  lex_scan (zendlval=0x7fff8083fae8) at Zend/zend_language_scanner.c:1088

#1  0x00000000007ad730 in zendlex (zendlval=0x7fff8083fae0) at /root/oneshell-master/php-5.4.45/Zend/zend_compile.c:6545

#2  0x0000000000795aca in zendparse () at /root/oneshell-master/php-5.4.45/Zend/zend_language_parser.c:3471

#3  0x00000000007a2990 in compile_file (file_handle=0x7fff8083fe30, type=2) at Zend/zend_language_scanner.l:585

#4  0x000000000063255a in phar_compile_file (file_handle=0x7fff8083fe30, type=2) at /root/oneshell-master/php-5.4.45/ext/phar/phar.c:3414

#5  0x00000000007a20bb in compile_filename (type=2, filename=0x299d018) at Zend/zend_language_scanner.l:628

#6  0x00000000008156de in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7f46209c6158) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:27443

#7  0x0000000000832c80 in execute (op_array=0x27b4158) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#8  0x00007f4614b27db6 in nb_execute (op_array=0x27b4158) at /tingyun/nbprof/nbprof.c:318

#9  0x00000000007c0e14 in zend_call_function (fci=0x7fff808401b0, fci_cache=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_execute_API.c:956

#10 0x00000000006d8ae5 in zif_call_user_func_array (ht=<value optimized out>, return_value=0x29733b0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>,

    return_value_used=<value optimized out>) at /root/oneshell-master/php-5.4.45/ext/standard/basic_functions.c:4754

#11 0x00007f4614b27cbe in nb_execute_internal (current_execute_data=0x7f46209c5f78, return_value_used=1) at /tingyun/nbprof/nbprof.c:403

#12 0x000000000083e643 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:645

#13 0x0000000000832c80 in execute (op_array=0x7f46209f8a70) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#14 0x00007f4614b27db6 in nb_execute (op_array=0x7f46209f8a70) at /tingyun/nbprof/nbprof.c:318

#15 0x00000000007c0e14 in zend_call_function (fci=0x7fff80840540, fci_cache=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_execute_API.c:956

#16 0x00000000007e41bf in zend_call_method (object_pp=0x0, obj_ce=<value optimized out>, fn_proxy=0x7f46209f6618, function_name=0xb02423 "__callstatic",

    function_name_len=<value optimized out>, retval_ptr_ptr=0x7fff80840668, param_count=2, arg1=0x29730a8, arg2=0x29735c0)

    at /root/oneshell-master/php-5.4.45/Zend/zend_interfaces.c:97

#17 0x00000000007efb39 in zend_std_callstatic_user_call (ht=<value optimized out>, return_value=0x2972f58, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>,

    return_value_used=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_object_handlers.c:1110

#18 0x00007f4614b27cbe in nb_execute_internal (current_execute_data=0x7f46209c5d88, return_value_used=0) at /tingyun/nbprof/nbprof.c:403

#19 0x000000000083e643 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:645

#20 0x0000000000832c80 in execute (op_array=0x304d188) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#21 0x00007f4614b27db6 in nb_execute (op_array=0x304d188) at /tingyun/nbprof/nbprof.c:318

#22 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#23 0x0000000000832c80 in execute (op_array=0x2831020) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#24 0x00007f4614b27db6 in nb_execute (op_array=0x2831020) at /tingyun/nbprof/nbprof.c:318

#25 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#26 0x0000000000832c80 in execute (op_array=0x27a48a0) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#27 0x00007f4614b27db6 in nb_execute (op_array=0x27a48a0) at /tingyun/nbprof/nbprof.c:318

#28 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#29 0x0000000000832c80 in execute (op_array=0x27a25b8) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#30 0x00007f4614b27db6 in nb_execute (op_array=0x27a25b8) at /tingyun/nbprof/nbprof.c:318

#31 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#32 0x0000000000832c80 in execute (op_array=0x2832410) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#33 0x00007f4614b27db6 in nb_execute (op_array=0x2832410) at /tingyun/nbprof/nbprof.c:318

---Type <return> to continue, or q <return> to quit---

#34 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#35 0x0000000000832c80 in execute (op_array=0x282c1e0) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#36 0x00007f4614b27db6 in nb_execute (op_array=0x282c1e0) at /tingyun/nbprof/nbprof.c:318

#37 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#38 0x0000000000832c80 in execute (op_array=0x2896bb8) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#39 0x00007f4614b27db6 in nb_execute (op_array=0x2896bb8) at /tingyun/nbprof/nbprof.c:318

#40 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#41 0x0000000000832c80 in execute (op_array=0x286ced8) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#42 0x00007f4614b27db6 in nb_execute (op_array=0x286ced8) at /tingyun/nbprof/nbprof.c:318

#43 0x00000000007c0e14 in zend_call_function (fci=0x7fff80841170, fci_cache=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_execute_API.c:956

#44 0x000000000064ad3f in zim_reflection_method_invoke (ht=<value optimized out>, return_value=0x288e4e8, return_value_ptr=<value optimized out>, this_ptr=0x2859330,

    return_value_used=<value optimized out>) at /root/oneshell-master/php-5.4.45/ext/reflection/php_reflection.c:2898

#45 0x00007f4614b27cbe in nb_execute_internal (current_execute_data=0x7f46209c0530, return_value_used=0) at /tingyun/nbprof/nbprof.c:403

#46 0x000000000083e643 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:645

#47 0x0000000000832c80 in execute (op_array=0x27a5a58) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#48 0x00007f4614b27db6 in nb_execute (op_array=0x27a5a58) at /tingyun/nbprof/nbprof.c:318

#49 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#50 0x0000000000832c80 in execute (op_array=0x27a5b58) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#51 0x00007f4614b27db6 in nb_execute (op_array=0x27a5b58) at /tingyun/nbprof/nbprof.c:318

#52 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#53 0x0000000000832c80 in execute (op_array=0x27b66a0) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#54 0x00007f4614b27db6 in nb_execute (op_array=0x27b66a0) at /tingyun/nbprof/nbprof.c:318

#55 0x000000000083ed94 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:673

#56 0x0000000000832c80 in execute (op_array=0x7f46209f4108) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#57 0x00007f4614b27e84 in nb_execute (op_array=0x7f46209f4108) at /tingyun/nbprof/nbprof.c:318

#58 0x0000000000816a9c in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7f46209bd318) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:2650

#59 0x0000000000832c80 in execute (op_array=0x7f46209f35b8) at /root/oneshell-master/php-5.4.45/Zend/zend_vm_execute.h:410

#60 0x00007f4614b27dff in nb_execute (op_array=0x7f46209f35b8) at /tingyun/nbprof/nbprof.c:318

#61 0x00000000007cc5ae in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/oneshell-master/php-5.4.45/Zend/zend.c:1329

#62 0x000000000077221e in php_execute_script (primary_file=0x7fff80845fc0) at /root/oneshell-master/php-5.4.45/main/main.c:2502

#63 0x000000000087b34e in main (argc=<value optimized out>, argv=<value optimized out>) at /root/oneshell-master/php-5.4.45/sapi/fpm/fpm/fpm_main.c:1938

(gdb)

 

发现 php的lex_scan执行的时候崩溃了,通过搜索明白是某php正在被词法分析的时候又被修改了。

最后确定是TinkPHP开启调试模式后,模板是动态编译的,这样当有并发访问的时候就发生了php文件又在被解析,又在被写入的情况导致lex_scan的时候php-fpm就挂掉了。

当有并发的时候关闭调试模式即可解决

也算是见识了php程序的问题可以让php-fpm进程都挂掉

参考

提供SIGABRT的 backtrace ,如何提供backtrace, 请参看:

http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Generating core-dump for php5-fpm

https://rtcamp.com/tutorials/php/core-dump-php5-fpm/

对nginx报502bad gateway的一次原因定位

http://blog.chunshiban.com/2013/07/05/%E5%AF%B9nginx%E6%8A%A5502bad-gateway%E7%9A%84%E4%B8%80%E6%AC%A1%E5%8E%9F%E5%9B%A0%E5%AE%9A%E4%BD%8D/

一例php进程的SIGBUS故障

http://blog.druggo.org/post/2013/05/02/%E4%B8%80%E4%BE%8Bphp%E8%BF%9B%E7%A8%8B%E7%9A%84SIGBUS%E6%95%85%E9%9A%9C

低并发502错误signal 7 (SIGBUS)

http://kokahkhk.blog.163.com/blog/static/209428040201411595622729/

压力测试下httpd进程由于lex_scan和Runtime缓存文件而崩溃

http://www.thinkphp.cn/topic/27464.html

php进程崩溃跟踪方法

http://blog.chinaunix.net/uid-23504396-id-4819011.html

by ·8条评论

缘由

PHP Multipartform-data远程DOS攻击漏洞,恶意构造的请求会导致服务器的cpu使用率达到100%。
全版本受影响,危害严重。请尽快修复漏洞。

受影响的软件及系统:

PHP 5.0.0 – 5.0.5
PHP 5.1.0 – 5.1.6
PHP 5.2.0 – 5.2.17
PHP 5.3.0 – 5.3.29
PHP 5.4.0 – 5.4.40
PHP 5.5.0 – 5.5.24
PHP 5.6.0 – 5.6.8

未受影响的软件及系统:

PHP 5.4.41
PHP 5.5.25
PHP 5.6.9
以下是百度同学的源码漏洞分析
PHP multipart/form-data 远程DOS漏洞 {:target=”_blank“}

更新到官网最新版本得到修复

http://php.net/ChangeLog-5.php#5.4.41
http://php.net/ChangeLog-5.php#5.5.25
http://php.net/ChangeLog-5.php#5.6.9

官网的漏洞报告和讨论

Sec Bug #69364 PHP Multipart/form-data remote dos Vulnerability{:target=”_blank“}
内容摘抄
鸟哥也在关注这个漏洞哟
[2015-05-15 05:37 UTC] laruence@php.net
does this needs a CVE id?
有人问 php5.3.x系列的修复呢?
[2015-05-19 03:04 UTC] welpher dot yu at gmail dot com
what about 5.3?
官方回答请看php版本支持信息
[2015-05-19 03:47 UTC] stas@php.net
5.3 is EOL since last year: http://php.net/supported-versions.php

php版本支持信息 {:target=”_blank“}中我们看到 php5.3支持已经过期了,也就是就算是有严重bug官方也不会修复php5.3.x系列了.
php5.3.x系列的最终版是php5.3.29

总结

如果你线上使用的是 php5.4.x or php5.5.x or php5.6.x请升级到官网最新版本
如果你使用的是php5.3.29 or php5.3.x 建议升级到 php5.4.41
其中php升级带来的代码兼容问题请结合自己的项目参考官方文档进行升级

如果是php5.3.x系列想停留在现在的版本,的自己修改php源码,修复本漏洞.

php5.3.29的民间补丁

https://coding.net/u/simapple/p/oldphppatch/git

下载里面的补丁到php源码目录,然后执行

php5.3.x

patch p1 < ./php5.3patch

php5.2.x

patch p1 < ./php5.2patch

重新编译即可

 

在线检查工具

紧急安全通告在线检查-绿盟{:target=”_blank“}

by ·0评论

0x00 实验目的

根据文章”PHP绕过open_basedir列目录的研究”通过测试不同的配置验证本文的绕过basedir的方法是否有效,从而安全配置php open_basedir的目的.
文中后面几个方法都是windwos下采用枚举的方式列出目录,linux下需要做暴力猜解的方式才可以,所以不做测试.

测试”DirectoryIterator + Glob”方式是否可以绕过open_basedir
测试webshell工具”菜刀”是否可以绕过open_basedir

0x01 实验环境

nginx + PHP 5.6.7 fastcgi模式, centos7 linux
目前配置open_basedir有三处地方php-fpm.conf,nginx fastcgi_param,php.ini
下面逐一测试

0x02 测试详细

只在php-fpm.conf中配置

php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/

结果

open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

当前open_basedir
open_basedir : /home/wwwroot/:/proc/:/tmp/

-- DirectoryIterator + Glob --.
..
.autorelabel
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
vagrant
var

菜刀不可跨出basedir

 

只在nginx的fastcgi_param配置

# set php open_basedir
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

这里的”$document_root”是nginx中的变量,为nginx的每个server里的root目录
比如server www.iamle.com配置的root目录为/home/wwwroot/www.iamle.com

认真读php手册有下面这段话
PHP配置值通过 php_value 或者 php_flag 设置,并且会覆盖以前的值。
请注意 disable_functions 或者 disable_classes 在 php.ini 之中定义的值不会被覆盖掉,但是会将新的设置附加在原有值的后面。
使用 php_admin_value 或者 php_admin_flag 定义的值,不能被 PHP
代码中的 ini_set() 覆盖。自 5.3.3 起,也可以通过 web 服务器设置
PHP 的设定。也就是nignx中fastcgi_param配置php的配置
php_flag用来专门设置布尔值,如on, off, 1, 0, true, false, yes, no,
而php_value用来设置所有类型的值

结果和上面一样

open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

菜刀不可跨出basedir

 

只在php.ini配置

[HOST=www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/
[PATH=/home/wwwroot/www.iamle.com/]
open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/

意思是当HOST=www.iamle.com设置open_basedir,当PATH=/home/wwwroot/www.iamle.com/

设置open_basedir,我测试的时候2个任意设置一个都是有效的

结果和上面一样

open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

菜刀不可跨出basedir

 

0x03 个人结论

DirectoryIterator + Glob的方式可以列出php服务器上所有文件,看似没什么危害,实际上对于长期的APT绝对有帮助.
open_basedir不是想象的那么安全,说不定别人手上有甚至有能读写open_basedir的0day

0x04 个人推荐的nginx + php(fastcgi fpm-php)(lnmp) open_basedir的配置

先设置fpm-php中pool池中的总open_basedir这叫顶层设计,有个总限制,比如统一限制到/home/wwwroot/这样的web目录下
再对nginx中单个server 通过 fastcgi_param PHP_ADMIN_VALUE 设置
再对php.ini设置 [HOST=XXX] [PATH=XXX]
三管齐下妈妈再也不用担心我的php open_basedir了(希望吧)
虽然很啰嗦,但是这样岂不是更放心
总而言之就是下面的结果,我就是下面这种啰嗦的配置

 

#在php-fpm.conf对应的pool池中行尾配置
php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/

#在nginx fastcgi fastcgi_param配置
#这里用$document_root是一种取巧的方法,也可以设置绝对路径
# set php open_basedir
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

#在php.ini行尾配置
[HOST=www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/
[PATH=/home/wwwroot/www.iamle.com/]
open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/

 

测试中还发现这三个地方配置的优先级如下

“php.ini” > “nginx fastcgi fastcgi_param” > “php-fpm.conf”

 

如果有错误欢迎大家留言斧正,感谢!

 

0x05 参考文档

PHP绕过open_basedir列目录的研究
open_basedir bypass exploit
php-fpm.conf 全局配置段
php.ini HOST PATH配置

by ·2条评论

流传的移除XSS攻击的php函数

The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another excellent site is the XSS Database which details each attack and how it works.

<?php
/**
 * Usage: Run *every* variable passed in through it.
 * The goal of this function is to be a generic function that can be used to
 * parse almost any input and render it XSS safe. For more information on
 * actual XSS attacks, check out http://ha.ckers.org/xss.html. Another
 * excellent site is the XSS Database which details each attack and how it
 * works.
 *
 * Used with permission by the author.
 * URL: http://quickwired.com/smallprojects/php_xss_filter_function.php
 *
 * License:
 * This code is public domain, you are free to do whatever you want with it,
 * including adding it to your own project which can be under any license.
 *
 * $Id: RemoveXSS.php 2663 2007-11-05 09:22:23Z ingmars $
 *
 * @author	Travis Puderbaugh <kallahar@quickwired.com>
 * @package RemoveXSS
 */
class RemoveXSS {

	/**
	 * Wrapper for the RemoveXSS function.
	 * Removes potential XSS code from an input string.
	 *
	 * Using an external class by Travis Puderbaugh <kallahar@quickwired.com>
	 *
	 * @param	string		Input string
	 * @return	string		Input string with potential XSS code removed
	 */
	function RemoveXSS($val)	{
		// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
		// this prevents some character re-spacing such as <java\0script>
		// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
		$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);

		// straight replacements, the user should never need these since they're normal characters
		// this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
		$search = 'abcdefghijklmnopqrstuvwxyz';
		$search.= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
		$search.= '1234567890!@#$%^&*()';
		$search.= '~`";:?+/={}[]-_|\'\\';

		for ($i = 0; $i < strlen($search); $i++) {
			// ;? matches the ;, which is optional
			// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars

			// &#x0040 @ search for the hex values
			$val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
			// &#00064 @ 0{0,7} matches '0' zero to seven times
			$val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
		}

		// now the only remaining whitespace attacks are \t, \n, and \r
		$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
		$ra2 = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
		$ra = array_merge($ra1, $ra2);

		$found = true; // keep replacing as long as the previous round replaced something
		while ($found == true) {
			$val_before = $val;
			for ($i = 0; $i < sizeof($ra); $i++) {
				$pattern = '/';
				for ($j = 0; $j < strlen($ra[$i]); $j++) {
					if ($j > 0) {
						$pattern .= '(';
						$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';
						$pattern .= '|(&#0{0,8}([9][10][13]);?)?';
						$pattern .= ')?';
					}
					$pattern .= $ra[$i][$j];
				}
				$pattern .= '/i';
				$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
				$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
				if ($val_before == $val) {
					// no replacements were made, so exit the loop
					$found = false;
				}
			}
		}

		return $val;
	}
}

?>

 

Discuz系统中 防止XSS漏洞攻击,过滤HTML危险标签属性的PHP函数

//屏蔽html
function checkhtml($html) {
	$html = stripslashes($html);
	if(!checkperm('allowhtml')) {

		preg_match_all("/<([^<]+)>/is", $html, $ms);

		$searchs[] = '<';
		$replaces[] = '<';
		$searchs[] = '>';
		$replaces[] = '>';

		if($ms[1]) {
			$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br
						|p|b|strong|i|u|em|span|ol|ul|li|blockquote
						|object|param|embed';//允许的标签
			$ms[1] = array_unique($ms[1]);
			foreach ($ms[1] as $value) {
				$searchs[] = "<".$value.">";
				$value = shtmlspecialchars($value);
				$value = str_replace(array('\','/*'), array('.','/.'), $value);
				$skipkeys = array(
						'onabort','onactivate','onafterprint','onafterupdate',
						'onbeforeactivate','onbeforecopy','onbeforecut',
						'onbeforedeactivate','onbeforeeditfocus','onbeforepaste',
						'onbeforeprint','onbeforeunload','onbeforeupdate',
						'onblur','onbounce','oncellchange','onchange',
						'onclick','oncontextmenu','oncontrolselect',
						'oncopy','oncut','ondataavailable',
						'ondatasetchanged','ondatasetcomplete','ondblclick',
						'ondeactivate','ondrag','ondragend',
						'ondragenter','ondragleave','ondragover',
						'ondragstart','ondrop','onerror','onerrorupdate',
						'onfilterchange','onfinish','onfocus','onfocusin',
						'onfocusout','onhelp','onkeydown','onkeypress',
						'onkeyup','onlayoutcomplete','onload',
						'onlosecapture','onmousedown','onmouseenter',
						'onmouseleave','onmousemove','onmouseout',
						'onmouseover','onmouseup','onmousewheel',
						'onmove','onmoveend','onmovestart','onpaste',
						'onpropertychange','onreadystatechange','onreset',
						'onresize','onresizeend','onresizestart',
						'onrowenter','onrowexit','onrowsdelete',
						'onrowsinserted','onscroll','onselect',
						'onselectionchange','onselectstart','onstart',
						'onstop','onsubmit','onunload','javascript',
						'script','eval','behaviour','expression',
						'style','class'
					);
				$skipstr = implode('|', $skipkeys);
				$value = preg_replace(array("/($skipstr)/i"), '.', $value);
				if(!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) {
					$value = '';
				}
				$replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
			}
		}
		$html = str_replace($searchs, $replaces, $html);
	}
	$html = addslashes($html);

	return $html;
}

 

by ·8条评论

我们知道apache php mod的方式可以很方便的配置 open_basedir 限制各个站点的目录访问权限。

nginx + php-fpm fastcgi的方式需要这样做。

首先php的版本必须大于等于php5.3.3。

总限制 通过php-fpm.conf限制

在php-fpm.conf配置文件当中可以增加如下参数

env[TMP] = /tmp/
env[TMPDIR] = /tmp/
env[TEMP] = /tmp/
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f webmaster@qq.com
php_admin_value[open_basedir] = /home/wwwroot/:/tmp/:/var/tmp:/proc/
php_admin_value[session.save_path] = /tmp/
php_admin_value[upload_tmp_dir] = /tmp/
slowlog = /usr/local/php/var/log/$pool.log
request_slowlog_timeout = 3s

可以配置env,php_admin_value。

那么配置

php_admin_value[open_basedir] = /home/wwwroot/:/tmp/:/var/tmp:/proc/

就可以把整个php脚本的访问目录控制住了。

如果方法1 方法2 方法3未配置的情况下,那么open_basedir的值就为本设置的值,如果方法1 方法2 方法3设置了,那么就是新设置的值。

另外的我这里打开了php慢执行。

slowlog 写保存路径,request_slowlog_timeout写时间。

更多的请看php官网手册 http://www.php.net/manual/en/install.fpm.configuration.php

 

方法1 在nginx 配置 fastcgi_param参数

在nginx的 php配置中 或者 在  包含的 include fastcgi.conf 文件中加入:

fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

$document_root php文档根目录,就是 nginx 配置项 root 配置的网站目录。

/tmp/目录需要有权限,默认放seesion的位置,以及unixsock。

/proc/ 可以让php查看系统负载信息。

本方法加的各个vhost 虚拟主机,都可以完美使用。都限制到自己的网站目录下。

非常推荐使用, 总限制 + 方法1 这样的组合配置方式!!!!!

方法2 在php.ini 中配置

在php.ini的末尾加入:

[HOST=www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/
[PATH=/home/wwwroot/www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/

本方法的弊端,如果有泛域名解析,比如 *.iale.com 。这个就不好控制。

 

方法3  网站根目录下增加 .user.ini  文件。

在php.ini中找到user_ini.filename 、 user_ini.cache_ttl 去掉前面的分号。

; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
user_ini.filename = ".user.ini"

; To disable this feature set this option to empty value
;user_ini.filename =

; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
user_ini.cache_ttl = 300

 

在网站根目录下创建.user.ini 加入:

open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/

这种方式不需要重启nginx或php-fpm服务。

特别注意,需要取消掉.user.ini文件的写权限,这个文件只让最高权限的管理员设置为只读。

方法1设置后,.user.ini的设置就不起作用了。
关于.user.ini文件的详细说明:
http://php.net/manual/zh/configuration.file.per-user.php