PHP Hangs On Numeric Value 2.2250738585072011e-308

102 comments

1. This doesn’t effect PHP 4, at least not the build I am running, it’s a bit old on this machine.

   PHP 4.4.9 (cli) (built: Sep 17 2008 16:31:15)

2. tried it on PHP Version 5.3.2-1ubuntu4.5 does not seem to be affected either.

3. PHP 5.3.3 (cli) (built: Aug 22 2010 19:41:55) everything works fine.

4. Hangs on: Debian PHP 5.3.3-6 with Suhosin-Patch (cli) (built: Dec 7 2010 18:23:49)

5. Bug appearing at my Core 2 Duo / Win7 / PHP 5.3.0.

   This is *really* serious. In fact, I’ve just tested if the problem happens for GET passed values and it does. Not all the passed data to a website is treated as a number, so not all websites with the PHP versions and configuration that could fail with this bug will be vulnerable, but definitely there is going to be a huge amount of websites that will do. This is really scaring.

   I hope the PHP team patch it soon.

   Meanwhile, a possible workaround would be adding this line at the very top of the execution of php website:

   if (strpos(str_replace(‘.’, ”, serialize($GLOBALS)), ‘22250738585072011’)!==false) die();

   This will stop execution if any decimal version of the number were passed as parameter. Note that 222.50738585072011e-310 cause problems too, and any of the other possibilities to write it.

   Do you know if there are any other possible ways to write the number that causes trouble too?

6. As a reference, this very bug is being discussed in Hacker News:
   http://news.ycombinator.com/item?id=2066084

7. PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch appears to have the problem, on my Ubuntu 10.10 machine. Interesting!

8. Running PHP 5.3.3, and tested that code with not problems !
   Result: 2.2250738585072E-308

9. PHP 5.2.16 under suphp is apparently not affected.

10. Many people are reporting different PHP versions and saying whether the problem manifests there or not.

    The relevant variable is actually the CPU architecture.

    On 32-bit systems (i386), it freezes (PHP 5.2.x and 5.3.x). On 64-bit systems (i686, amd64), it does not.

11. Pingback: PHP Hangs On Numeric Value 2.2250738585072011e-308 – Exploring Binary | Harald Nesland

12. Confirmed the 32 bit issue:
    PHP 5.3.2-1ubuntu4.5 hangs in a 32 bit system.
    PHP 5.3.2-1ubuntu4.5 does not hang in a 64 bit system.

13. I can reproduce this on 5.3.2 running on Ubuntu 10.04.1 on a 32 bit machine.

14. You received answers, no fix yet but you can’t say you did get any response yet to your bug report.

15. Confirmed to affect i386 (32-bit) FreeBSD 6.x, 7.x, and 8.x with any PHP 5.x.x version, built from ports. CGI vs. CLI doesn’t matter.

    Issue does not affect 64-bit FreeBSD (6.x, 7.x, or 8.x) using PHP 5.x.x.

    You can attempt to reproduce the issue via CLI by doing:

    php -r ‘$d = 2.2250738585072011e-308;’

    I should note that the infinite loop does result in PHP wedging to the point of it taking 100% CPU time. I did not have the time nor desire to run it under gdb and debug this utter nonsense.

16. On 64 bit archlinux (core 2 duo), I confirm that the following version is not affected:
    PHP 5.3.4 with Suhosin-Patch (cli) (built: Dec 16 2010 21:08:08)

17. This doesn’t effect PHP 4, at least not the build I am running, it’s a bit old on this machine.

18. For those on 64-bit machines, won’t the equivalent (much larger) 64 bit value likely result in the same bug?

19. @RoundSparrow: This is a 64-bit double. I don’t believe 64-bit architectures have 128-bit doubles, if they do then the value you may wish to try will be around 1.189731495357231765085759326628007 e-4932.

20. doesnt hang on PHP Version 5.2.8 XAMPP – Ubuntu

21. Does not hang http://www.php.net/cal.php?id=222.50738585072011e-310 🙁

22. > On 32-bit systems (i386), it freezes (PHP 5.2.x and 5.3.x).

    Despite this being a 32-bit (Atom N270) it doesn’t hang on the said problem.

    $ php -r “var_dump(2.2250738585072011e-308);”
    float(2.22507385851E-308)
    $ php -r “\$d = ‘2.2250738585072011e-308’; echo \$d + 0;”
    2.22507385851E-308
    php -r “var_dump((float) ‘2.2250738585072011e-308’);”
    float(2.22507385851E-308)

    $ php -v
    PHP 5.2.10-2ubuntu6.3 with Suhosin-Patch 0.9.7 (cli) (built: Nov 26 2009 14:42:49)
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    $ uname -a
    Linux mobile 2.6.31-17-generic #55~ppa7~loms~karmic-Ubuntu SMP Thu Jan 21 13:37:20 UTC 2010 i686 GNU/Linux

    Any ideas?

23. http://news.ycombinator.com/item?id=2066352

    > Follow-up: PROBLEM SOLVED.
    > This problem occurs due to IA-32’s 80-bit floating point arithmetic. The simple fix: add a “-ffloat-store” flag to your CFLAGS.
    > The problematic function, zend_strtod, seems to parse the mantissa (2.225…011 part) and the exponent (-308 part) separately, calculate the approximation of m*10^e and successively improve that approximation until the error becomes less than 0.5ulp. The problem is that this particular number causes the infinite loop (i.e. the iteration does not improve the error at all) in 80-bit FP, but does not in 64-bit FP. Since x86-64 in general uses the SSE2 instruction set (with 64-bit FP) instead of the deprecated x87 it does not have this problem.

24. Works fine for me (PHP 5.2.10 w/ suhosin patch, ubuntu 9.10, on Intel P4)

25. I got:
    PHP 5.3.3-6 with Suhosin-Patch (cli) (built: Dec 7 2010 18:23:49)
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
    On a debian 64 bit install with latest updates etc.
    And it does hang my system!
    The funny thing is, i ALSO get the bug when using string (GET/POST) functions.
    It doesn’t really affect the whole domain though, apache kills php after a timeout and restarts it, the website stays available to others browsing at that moment. It just jumps to 100% CPU usage on 1 core for a sec.
    Still, badass weird bug, I wonder if they’re accidentally using a 1 to MAX_INTEGER+1 value system instead of 0 to MAX_INTEGER, causing it to overflow somehow ..
    Only wild guesses here.

    Still, nice finding!

26. @Pierre,

    I hadn’t gotten a response as of the time I published this article, but I see there are some now.

27. Does NOT hang on a 32bit Ubuntu 8.04.4, dual AMD Opteron 246.

28. Forgot to add: PHP 5.2.4-2ubuntu5.12 with Suhosin-Patch 0.9.6.2 (cli) (built: Sep 20 2010 13:18:10)

29. 32bit only then?

30. Does not hang on php 5.2.13 on 64 bit RHEL 5.4

31. BUG CONFIRMED on:

    Operating system: Windows NT 6.0 build 6002 i586 (Windows Vista)

    Web server: Apache/2.2.11 (Win32) PHP/5.2.8

    Server SAPI: apache2handle

    Server modules: core, mod_win32, mpm_winnt, http_core, mod_so, mod_actions, mod_alias, mod_asis, mod_auth_basic, mod_authn_default, mod_authn_file, mod_authz_default, mod_authz_groupfile, mod_authz_host, mod_authz_user, mod_autoindex, mod_cgi, mod_deflate, mod_dir, mod_env, mod_expires, mod_include, mod_isapi, mod_mime, mod_negotiation, mod_rewrite, mod_setenvif, mod_php5

    PHP version: 5.2.8

    Zend engine version: 2.2.0

    PHP extensions: bcmath, calendar, com_dotnet, ctype, session, filter, ftp, hash, iconv, json, odbc, pcre, Reflection, date, libxml, standard, tokenizer, zlib, SimpleXML, dom, SPL, wddx, xml, xmlreader, xmlwriter, apache2handler, bz2, curl, dba, dbase, fdf, gd, gettext, gmp, imap, interbase, ldap, mbstring, mcrypt, mhash, mime_magic, ming, mysql, mysqli, openssl, PDO, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_sqlite, shmop, snmp, soap, sockets, SQLite, tidy, xmlrpc, xsl, zip, exif, xdebug

    Tested on a simple login form. This is apparently very real, and (subsequently) very serious! I can’t believe how severe the potential consequences are, now that the whole of the Internet knows about it.

32. Report as a bug to PHP team. Highlight as a security issue. Very simple to patch.

33. NOT affect PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch (cli) (built: Oct 15 2010 14:00:18)

34. Have you tried it on more than one PC? Sounds like a processor glitch – and could be a design flaw in an arithmetic processor. If it works elsewhere, could be.

35. I’m running WAMP with PHP 5.3.0 and experience the hanging of the php =) Very strange. It does not however “bring down a Web server”. It’s just that request that hangs apparantly. I don’t know how long. I reloaded the page after +- 10 seconds.

36. So, um, I’d be interested to know what led you to write that statement in the first place?

37. PHP 5.2 does not seem to hang on Ubuntu 8.10 64bit, however the value is rounded to only 11 decimal places on my system:

    john@context$ php -r’$d = 2.2250738585072011e-308;echo $d.”\n”;’
    2.22507385851E-308
    john@context$ php –version
    PHP 5.2.10-2ubuntu6 with Suhosin-Patch 0.9.7 (cli)

38. @dB,

    I’m writing an article about subnormal floating-point numbers and I was playing with the numbers at the “edges.”

39. @RC,

    Yes, all variations of the exponent seem to cause it, like

    .22250738585072011e-307
    22.250738585072011e-309
    22250738585072011e-324

    etc.

40. [2011-01-02 15:49 UTC] pajoye@php.net

    1st reaction to your bug report, that’s before this blog post, which not that god for security related issue by the way.

    It should have been better to wait the fix before going wild and publish it like that 🙂

    Cheers,

41. s,god,good, lapsus 😉

42. Pingback: fieser Bug in PHP 5.3 | davblog: webdev and stuff

43. Awesome. Very interesting

44. @Pierre,

    Yes, technically, “can you take a look at it please?” is a response; but maybe a real response would have been “we can confirm this happens” or “this could be serious” or “this is a security issue”. I have minimal knowledge of PHP — I don’t see how I could have made that determination myself.

45. Pingback: Serious PHP Bug could lead to Server Crashes « Hacked

46. cthulhu:~$ php -r “var_dump(2.2250738585072011e-308);”
    float(2.2250738585072E-308)
    cthulhu:~$ uname -a
    FreeBSD * 7.1-STABLE FreeBSD 7.1-STABLE #2: Sun Jan 18 15:34:54 CST 2009 root@*:/usr/obj/usr/src/sys/CTHULHU amd64
    cthulhu:~$ php -v
    PHP 5.2.12 with Suhosin-Patch 0.9.7 (cli) (built: Jan 12 2010 19:21:18)

47. Does not affect:

    # uname -a
    Linux 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2 02:05:21 UTC 2010 x86_64 GNU/Linux

    # php -v
    PHP 5.3.4 (cli) (built: Dec 12 2010 10:49:53)

48. crashes

    Linux 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686 GNU/Linux

49. Pingback: PHP floating point bug | up4b.com

50. I copied the number into reddit’s search to find posts about it, and now reddit is down.

    Am I being paranoid, or did that break the server? I didn’t mean to oh god oh god

    I don’t want to go to jail.

51. no Josh, that is called a “string”

    reddit being down is not a once in a lifetime event

52. I thought perhaps their server attempts to convert it’s search input into an integer for some reason. The coincidence was just too bizarre.

53. Great find. It’s shocking this hasn’t been noted prior considering just how long it may have been in the wold. Lets hope for a quick fix.

54. Pingback: PHP hangs when you tell it to do something with the number 2 « Notes from the Library

55. @Rick Regan

    Consider that we do that already, if it was not reproduceable or not a real bug (bogus), it would have been closed in the 1st place.

    About the security part, right, but that’s rather obvious in this case (endless loop.

    btw, fix has reach SVN already, see the bug report for the links 🙂

56. PHP Version 5.2.6-1+lenny9 (32-bit)

    Not effected.

57. @Pierre,

    OK. But in the future, please consider changing your “no news is bad news” policy.

58. Apache/2.2.15 (Win32)
    PHP/5.2.13
    Windows XP SP3
    Athlon XP 2600+

    I’m experiencing this bug as well.

59. We have slapped together a quick workaround.

    Have to use substring-search because “2.2250738585072011e-308” could also be spelled “02.2250738585072011e-308” or “002.2250738585072011e-308” etc.

    Quick workaround can be found here:
    http://www.aircraft24.com/en/info/php-float-dos-quickfix.htm

60. @Rafi,

    What about variations on the placement of the decimal point, like 222.50738585072011e-310? What about superfluous leading zeros in the exponent, like 2.2250738585072011e-0308? Your script doesn’t handle those.

61. Pingback: Chat-Thread - Seite 1634 - XHTMLforum

62. @Rick Regan

    You wrote:
    > Your script doesn’t handle those.

    It does. It searches for the substring ‘50738585072011e’ in all user-request vars.

63. @Rafi,

    Yes, I was wrong about leading zeros in the exponent. But what about 2225.0738585072011e-311? 22250.738585072011e-312? What about trailing 0s before the exponent, like 2.22507385850720110e-308?

64. @Rick

    Good Point. Changed the script to remove the “.” and changed the string that is searched for.

    http://www.aircraft24.com/en/info/php-float-dos-quickfix.htm

    Better now ?

65. That will probably do it, if you change ‘250738585072011’ to ‘22250738585072011’.

66. Done. Would have worked with “’250738585072011” as well but is less unlikely to catch “false positives” now.

67. @Rafi,

    Yes, false positives were my concern.

68. Very nice and funny finding 🙂

69. Hi
    How did you find the bug?

70. @Mahrud,

    See comment #38 above.

71. Pingback: Encontrado fallo en PHP al operar con un número decimal

72. Bug does not appear with PHP 5.2.6 / XAMPP 1.6.8a.
    Also does not seem to appear within PHP 5.3.3 (FastCGI), Suhosin Patch 0.9.10.

    cu, w0lf.

73. Pingback: PHP Floating Point Bug Crashes 32-bit Servers | Albertech.net
74. Pingback: Assorted Links of the Day | hakre on wordpress

75. For those using Zend Server or Zend Server Community Edition, a hotfix was just released. I have installed it on 2 servers running PHP 5.3 on CentOS 5 and can confirm that the fix works.

76. Package: php5-cgi
    Version: 5.3.2-1ubuntu4.5

    affected, too. Note: php5-cgi!

77. I am confused. Does this only affect people with older cpus that do not support SSE2?

    I do not seem to be affected by the bug, yet am on a 32 bit CPU and PHP was compiled with -O2.

    uname -a:

    Linux www 2.6.9-67.0.22.ELsmp #1 SMP Fri Jul 11 10:38:12 EDT 2008 i686 i686 i386 GNU/Linux

    Running the test script outlined above comes back immediately. No hang.

    CPU is Intel(R) Xeon(R) CPU E5430 @ 2.66GHz which support SSE2.

    Since my CPU supports SSE2, would I not be affected by this?

78. @John Flax,

    This is a comment from Rasmus Lerdorf, in the bug report:

    “If you are on an architecture that uses the x87 FPU and you haven’t forced SSE or float-store then you will see this problem.”

    What version of PHP are you using?

79. PHP ver is 5.2.14. As far as I know I have not forced float-store or SSE, unless Centos does that by default.

80. Pingback: PHP Bug – Unendlich Loop bei bestimmtem Zahlenwert - bursali's Blog | Home of the CyberTerrorist!

81. Updated the workaround now:
    – handles arrays
    – terminates execution instead of deleting the offending variable
    – performance improved

    Code here:
    http://www.aircraft24.com/en/info/php-float-dos-quickfix.htm

82. Pingback: PHP Floating Point Bug Crashes Servers | JetLib News

83. @Rafi Thanks! we deployed your fix, very easy.

84. An official, proper fix for this has been committed. Who knows when the PHP team will release a new/updated version of PHP for this though.

    http://svn.php.net/viewvc/php/php-src/trunk/Zend/zend_strtod.c?r1=307095&r2=307094&pathrev=307095

    The “”fix”” Rafi came up with is utter nonsense as well (so many edge cases which aren’t addressed). I’d recommend folks suffering from this put pressure on the PHP team to tag and distribute a new release rather than using horrid hacks like the one here: http://www.aircraft24.com/en/info/php-float-dos-quickfix.htm

85. I’ve confirmed it happens on Apache/2.2.8 (Win32) PHP/5.2.5.

86. Pingback: links for 2011-01-06 | XXPro
87. Pingback: Security Bug; Update PHP as soon as possible!!! - PhotoPost Community

88. @koitsu
    Of course, patching or upgrading PHP to a fixed version is the way to go.

    We just wanted to provide protection for sites that cannot immediately fix their PHP-installation and that want to protect their server against script-kids that try around with GET and POST-vars. Our script does exactly that. It is not a fix but a workaround.

89. Pingback: PHP Hangs On Numeric Value 2.2250738585072011e-308 « technichristian.net
90. Pingback: » Poważny błąd w PHP, setki serwisów podatnych na ataki DoS -- Niebezpiecznik.pl --
91. Pingback: صدور تحديثين جديدين لـ PHP لترقيع ثغرة الفاصلة العائمة التي تسبب انهيار النظام | المجلة التقنية

92. Does not crash on two CentOS servers (same hardware, different PHP versions)

    Intel(R) Xeon(R) CPU L5506 @ 2.13GHz stepping 05

    Linux version 2.6.18-164.11.1.el5

    One runs 5.2.13, the other 5.3.4, from utterramblings

    Does crash on Ubuntu 10.10, PHP version 5.4.4.-1ubuntu9.1
    on an Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz stepping 05

93. Sorry, that’s PHP 5.3.3-1ubuntu9.1

94. @cicika,

    Are you running 32bit Centos or 64?

95. My bad, thought I pasted it completely, it’s 64bit.

96. Pingback: LE NOMBRE MAGIQUE QUI FAIT PLANTER JAVA : 2.2250738585072012E-308

97. Here are a few approaches to remediating this nasty bug while we are waiting for vendor patches.

    http://manicode.blogspot.com/2011/02/taming-beast-java-double-dos.html

98. @Jim Manico :

    You’ve posted to the wrong blog entry. This one is about PHP.

99. Pingback: Java entra en un loop infinito al parsear “2.2250738585072012e-308″
100. Pingback: PHP FLOAT DOS <= 5.3.X « vulnerability researcher
101. Pingback: Corregido el fallo de la "constante" en PHP
102. Pingback: Floating-Point Determinism | Random ASCII

Comments are closed.