Project

General

Profile

Actions

Todo #12004

closed

Disable PCRE JIT to work around PHP PCRE crashes on multi-core 32-bit ARM systems

Added by Jim Pingle 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
PHP Interpreter
Target version:
Start date:
06/07/2021
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default

Description

Currently, PHP crashes on multi-core 32-bit ARM systems (SG-3100) with certain PCRE calls, as documented on #11466, #11605, and #11551.

Disabling PCRE JIT works around the crashes, but is not a permanent solution to the problem.

The attached patch disables PCRE JIT and can be applied to affected systems using the System Patches package to work around the problem until a proper long-term fix is identified.

I have already committed a variation of the patch which specifically disables JIT only on multi-core 32-bit ARM systems, this issue is for tracking and so it can be shown in release notes.

When using the System Patches package to apply the fix, use the direct URL to download the patch file: https://redmine.pfsense.org/attachments/download/3715/patch-disable-pcrejit-arm.diff . After fetching and applying the patch, reboot the unit.


Files

patch-disable-pcrejit-arm.diff (493 Bytes) patch-disable-pcrejit-arm.diff Jim Pingle, 06/07/2021 07:59 AM

Related issues

Related to Bug #11466: PHP exits with signal 11 on SG-3100 when calling PCRE functionsClosedJim Pingle02/19/2021

Actions
Actions #1

Updated by Jim Pingle 4 months ago

  • Description updated (diff)
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle 4 months ago

  • Related to Bug #11466: PHP exits with signal 11 on SG-3100 when calling PCRE functions added
Actions #3

Updated by Jim Pingle 4 months ago

Packages and other scripts could use ini_set("pcre.jit", "0"); to disable PCRE JIT on systems without the patch to avoid the problem on unpatched systems until the next update.

Actions #4

Updated by Jim Pingle 4 months ago

  • Description updated (diff)
Actions #5

Updated by Jim Pingle 3 months ago

  • Description updated (diff)
Actions #6

Updated by Steve Wheeler 2 months ago

Testing against the current 21.09 snapshot the disable-pcrejit patch is no longer required.

21.09-DEVELOPMENT (arm)
built on Thu Jul 22 01:10:26 EDT 2021
FreeBSD 12.2-STABLE

That patch is in that snapshot but after reverting it the following test code returns successfully.

$rule1 = 'alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;)';

$matches = array();

if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule1, $matches))
      $msg = trim($matches[1]);
if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule1, $matches))
      $sid = trim($matches[1]);
if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule1, $matches))
      $gid = trim($matches[1]);
if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule1, $matches))
      $rev = trim($matches[1]);
if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule1, $matches))
      $classtype = trim($matches[1]);

print $msg . "\n";
print $sid . "\n";
print $gid . "\n";
print $rev . "\n";
print $classtype . "\n";

That code coredumps PHP in 21.05 without the patch.

Actions #7

Updated by Jim Pingle 2 months ago

I reverted the relevant commits since this is no longer necessary.

Actions #8

Updated by Jim Pingle about 2 months ago

  • Target version changed from 21.09 to 21.05.1
Actions

Also available in: Atom PDF