[wp-trac] [WordPress Trac] #57050: Allocation of JIT memory failed …

WordPress Trac noreply at wordpress.org
Wed Nov 9 21:19:13 UTC 2022


#57050: Allocation of JIT memory failed …
----------------------------+------------------------------
 Reporter:  petroski        |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Bootstrap/Load  |     Version:  3.0
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+------------------------------
Changes (by costdev):

 * keywords:  changes-requested =>
 * focuses:  coding-standards =>
 * component:  Security => Bootstrap/Load
 * version:  6.1 => 3.0


Old description:

> Hello All,
>
> I provide hosting for a number of WordPress websites on a CentOS server
> with the following config.
>
> CentOS Linux 7.9.2009
> Plesk Obsidian Version 18.0.47
> PHP 7.43
> mySQL 5.5.68-1.el7
>
> For server security I have Atomic Secured Linux (Atomic Protector)
> installed that provides Firewall and OSSEC security (full version, not
> Plesk extension)
>
> For quite some time, ASL has been reporting the following error code
> hundreds of times a day …
>
> 60027 : Denied a RWX mmap event. An application just attempted to use the
> mprotect function to bypass memory protection functions in the kernel.
>
> I have contacted Atomic support several times over this issue but the
> problem is not with their software, it is doing what it is supposed to
> do. ASL uses their own custom kernel that would deny attempts to bypass
> memory protection.
>
> So, digging a little deeper, I find this in my server logs at:
>
> /var/log/plesk-php74-fpm/error.log
>
> WARNING: [pool xxxxxxxxx.ca] child 23848 said into stderr: “PHP message:
> PHP Warning: preg_match(): Allocation of JIT memory failed, PCRE JIT will
> be disabled. This is likely caused by security restrictions. Either grant
> PHP permission to allocate executable memory, or set pcre.jit=0 in
> /var/www/vhosts/xxxxxxxxx.ca/httpdocs/wp-includes/load.php on line 43”
>
> So, every time any of the domains on my server loads, this error is
> generated.
>
> Looking at the file wp-includes/load.php, here is the errant code ((note
> lines 42 and 43 as marked)
>
> function wp_fix_server_vars() {
>         global $PHP_SELF;
>
>         $default_server_values = array(
>                 'SERVER_SOFTWARE' => '',
>                 'REQUEST_URI'     => '',
>         );
>
>         $_SERVER = array_merge( $default_server_values, $_SERVER );
>
> Line 42 // Fix for IIS when running with PHP ISAPI.
> Line 43 if ( empty( $_SERVER['REQUEST_URI'] ) || ( 'cgi-fcgi' !==
> PHP_SAPI && preg_match( '/^Microsoft-IIS\//', $_SERVER['SERVER_SOFTWARE']
> ) ) ) {
>
>                 if ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] ) ) {
>                         // IIS Mod-Rewrite.
>                         $_SERVER['REQUEST_URI'] =
> $_SERVER['HTTP_X_ORIGINAL_URL'];
>                 } elseif ( isset( $_SERVER['HTTP_X_REWRITE_URL'] ) ) {
>                         // IIS Isapi_Rewrite.
>                         $_SERVER['REQUEST_URI'] =
> $_SERVER['HTTP_X_REWRITE_URL'];
>                 } else {
>                         // Use ORIG_PATH_INFO if there is no PATH_INFO.
>                         if ( ! isset( $_SERVER['PATH_INFO'] ) && isset(
> $_SERVER['ORIG_PATH_INFO'] ) ) {
>                                 $_SERVER['PATH_INFO'] =
> $_SERVER['ORIG_PATH_INFO'];
>                         }
>
>                         // Some IIS + PHP configurations put the script-
> name in the path-info (no need to append it twice).
>                         if ( isset( $_SERVER['PATH_INFO'] ) ) {
>                                 if ( $_SERVER['PATH_INFO'] ==
> $_SERVER['SCRIPT_NAME'] ) {
>                                         $_SERVER['REQUEST_URI'] =
> $_SERVER['PATH_INFO'];
>                                 } else {
>                                         $_SERVER['REQUEST_URI'] =
> $_SERVER['SCRIPT_NAME'] . $_SERVER['PATH_INFO'];
>                                 }
>                         }
>
>                         // Append the query string if it exists and isn't
> null.
>                         if ( ! empty( $_SERVER['QUERY_STRING'] ) ) {
>                                 $_SERVER['REQUEST_URI'] .= '?' .
> $_SERVER['QUERY_STRING'];
>                         }
>                 }

New description:

 Hello All,

 I provide hosting for a number of WordPress websites on a CentOS server
 with the following config.

 CentOS Linux 7.9.2009
 Plesk Obsidian Version 18.0.47
 PHP 7.43
 mySQL 5.5.68-1.el7

 For server security I have Atomic Secured Linux (Atomic Protector)
 installed that provides Firewall and OSSEC security (full version, not
 Plesk extension)

 For quite some time, ASL has been reporting the following error code
 hundreds of times a day …

   60027 : Denied a RWX mmap event. An application just attempted to use
 the mprotect function to bypass memory protection functions in the kernel.

 I have contacted Atomic support several times over this issue but the
 problem is not with their software, it is doing what it is supposed to do.
 ASL uses their own custom kernel that would deny attempts to bypass memory
 protection.

 So, digging a little deeper, I find this in my server logs at `/var/log
 /plesk-php74-fpm/error.log`:

   WARNING: [pool xxxxxxxxx.ca] child 23848 said into stderr: “PHP message:
 PHP Warning: preg_match(): Allocation of JIT memory failed, PCRE JIT will
 be disabled. This is likely caused by security restrictions. Either grant
 PHP permission to allocate executable memory, or set pcre.jit=0 in
 /var/www/vhosts/xxxxxxxxx.ca/httpdocs/wp-includes/load.php on line 43”

 So, every time any of the domains on my server loads, this error is
 generated.

 Looking at `wp_fix_server_vars()` in [https://github.com/WordPress
 /wordpress-develop/blob/trunk/src/wp-includes/load.php#L42-L43 wp-
 includes/load.php], here is the errant code at lines 42-43:

 {{{#!php
 <?php

 // Fix for IIS when running with PHP ISAPI.
 if ( empty( $_SERVER['REQUEST_URI'] ) || ( 'cgi-fcgi' !== PHP_SAPI &&
 preg_match( '/^Microsoft-IIS\//', $_SERVER['SERVER_SOFTWARE'] ) ) ) {
 }}}

--

Comment:

 Thanks for the ticket @petroski!

 Just cleaning up some ticket properties and noting that this
 `preg_match()` call has existed since WordPress 3.0 in changeset [12732].

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57050#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list