php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81428 Crash with cycle containing a curl_multi_handle
Submitted: 2021-09-09 16:21 UTC Modified: 2021-09-23 13:03 UTC
From: bwoebi@php.net Assigned:
Status: Open Package: cURL related
PHP Version: 8.0.10 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bwoebi@php.net
New email:
PHP Version: OS:

 

 [2021-09-09 16:21 UTC] bwoebi@php.net 
Description:
------------
Executing a curl_multi_cleanup() on a multi handle holding references to an already freed easy handle is not allowed.

This issue only appears in a cycle, where the destruction order guarantees (i.e. adding easy handle to multi handle increases RC of easy handle) are not upheld.

The issue exists in PHP 8.0+, when a proper get_gc handle was added for curl handles.

Test script:
---------------
<?php

// inspired from ext/curl/tests/bug77535.phpt

class MyHttpClient
{
    private $mh;

    public function sendRequest()
    {
        $this->mh = curl_multi_init();

	$curl = curl_init();
	curl_setopt($curl, CURLOPT_URL, 'https://http2.golang.org/serverpush');
	curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
	curl_setopt($curl, CURLOPT_WRITEFUNCTION, function ($ch, $data) {
            return \strlen($data); // Closure preserves $this reference, creates cycle
	});

	curl_multi_setopt($this->mh, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
        curl_multi_setopt($this->mh, CURLMOPT_PUSHFUNCTION, function() { return CURL_PUSH_OK; });
        curl_multi_add_handle($this->mh, $curl);

	while (curl_multi_exec($this->mh, $s) === CURLM_CALL_MULTI_PERFORM || curl_multi_info_read($this->mh) === false);
	gc_collect_cycles();
    }
}

$buzz = new MyHttpClient();
$buzz->sendRequest();

Expected result:
----------------
No segfault

Actual result:
--------------
Segfault, valgrind output:

==21019== Invalid write of size 1
==21019==    at 0x52367B4: Curl_http_done (http.c:1551)
==21019==    by 0x5256CF7: multi_done (multi.c:560)
==21019==    by 0x5256FC9: curl_multi_cleanup (multi.c:2270)
==21019==    by 0x436334: curl_multi_free_obj (multi.c:551)
==21019==    by 0x92B9E8: zend_objects_store_del (zend_objects_API.c:200)
==21019==    by 0x849172: rc_dtor_func (zend_variables.c:57)
==21019==    by 0x92409C: i_zval_ptr_dtor (zend_variables.h:44)
==21019==    by 0x924563: zend_object_std_dtor (zend_objects.c:70)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==  Address 0x8eb2d61 is 5,089 bytes inside a block of size 6,304 free'd
==21019==    at 0x48369AB: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==21019==    by 0x5242B8B: Curl_close (url.c:397)
==21019==    by 0x524F88C: curl_easy_cleanup (easy.c:826)
==21019==    by 0x431D1A: curl_free_obj (interface.c:3446)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==    by 0x7B5A5E: php_request_shutdown (main.c:1831)
==21019==    by 0x9AC2B7: do_cli (php_cli.c:1135)
==21019==    by 0x9ACA17: main (php_cli.c:1367)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-15 10:36 UTC] twosee@php.net 
I cannot reproduce this bug... And, the security here should be guaranteed by libcurl, right? When we call curl_easy_cleanup(), libcurl will remove the easy handle from multi by curl_multi_remove_handle(), then the multi should no longer access the easy handle which has been released anymore.
 [2021-09-23 12:58 UTC] nikic@php.net 
For some reason this just hangs when I run it under valgrind :/
 [2021-09-23 13:03 UTC] nikic@php.net 
It eventually ran through, but I'm also not seeing any use after free.
 [2023-04-07 18:37 UTC] monika at gmail dot com 
wonderful blog full of value thanks for the sharing


(https://morocco-itinerary.com/es/tour/2-dias-desde-marrakech-al-desierto-2/)github.com

(https://morocco-itinerary.com/es/tour/recomendaciones-para-viajar-a-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/escapada-marrakech-3-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-4-dias-que-hacer/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-viaje-5-dias/)github.com

(https://morocco-itinerary.com/es/tour/vacaciones-en-marruecos-5-dias/)github.com

(https://morocco-itinerary.com/es/tour/6-dias-en-marruecos-viajes/)github.com

(https://morocco-itinerary.com/es/tour/itinerario-marruecos-7-dias/)github.com

(https://morocco-itinerary.com/es/tour/visitar-marruecos-en-7-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-8-dias/)github.com

(https://morocco-itinerary.com/es/tour/tour-marruecos-de-9-dias/)github.com

(https://morocco-itinerary.com/es/tour/visitar-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-marruecos-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/gran-vuelta-a-marruecos-en-11-dias/)github.com

(https://morocco-itinerary.com/es/tour/tour-por-marruecos-12-dias/)github.com

(https://morocco-itinerary.com/es/tour/2-dias-viajes-en-marruecos-desde-fez-al-desierto/)github.com

(https://morocco-itinerary.com/es/tour/3-dias-desde-fez-al-desierto-de-merzouga/)github.com

(https://morocco-itinerary.com/es/tour/3-dias-de-fez-a-marrakech-por-el-desierto/)github.com

(https://morocco-itinerary.com/es/tour/4-dias-desde-fez-al-desierto-y-marrakech-2/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-4-dias-desde-fez-al-desierto/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-5-dias-4-noches-desde-marrakech/)github.com

(https://morocco-itinerary.com/es/tour/circuito-marruecos-6-dias/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-en-marruecos-desde-fez/)github.com


(https://morocco-itinerary.com/es/tour/viaje-marruecos-7-dias/)github.com


(https://morocco-itinerary.com/es/tour/circuito-por-marruecos-8-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-9-dias/)github.com

(https://morocco-itinerary.com/es/tour/mejor-10-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/recorrer-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-10-dias-en-marruecos-desde-fez/)github.com

(https://morocco-itinerary.com/es/tour/11-dias-en-marruecos-desierto-y-ciudades-imperiales/)github.com


(https://morocco-itinerary.com/es/tour/tour-de-12-dias-en-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/tour-de-13-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/tour-norte-de-marruecos-4-dias/)github.com

(https://morocco-itinerary.com/es/tour/5-dias-de-viaje-a-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-por-marruecos-en-6-dias-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-al-norte-de-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-alrededor-de-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/excursion-desde-casablanca-8-dias/)github.com

(hhttps://morocco-itinerary.com/es/tour/viaje-privado-de-9-dias-por-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-viaje-por-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/descubra-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-11-dias-por-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/tour-de-12-dias-por-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-13-dias-en-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-13-dias-de-viaje-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-14-dias-en-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/5-dias-en-el-norte-de-marruecos-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-6-dias-desde-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/ruta-7-dias-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/itinerario-de-7-dias-en-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/viaje-de-8-dias-desde-tanger-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/9-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-10-dias-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/10-dias-de-vacaciones-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-11-dias-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-12-dias/)github.com


(https://morocco-itinerary.com/es/marruecos-viajes/)github.com


(https://morocco-itinerary.com/es/terminos-condiciones/)github.com

(https://morocco-itinerary.com/es/sobre-nosotros-el-equipo/)github.com

(https://morocco-itinerary.com/es/resenas/)github.com

(https://morocco-itinerary.com/es/resenas/)github.com

(https://morocco-itinerary.com/es/tour-destination/tanger-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/marrakech-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/fez-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/casablanca-es/)github.com

(https://morocco-itinerary.com/es/marruecos-viajes/contacto/contacto-1/)github.com

(https://morocco-itinerary.com/es/marruecos-viajes/)github.com

(https://morocco-itinerary.com/)github.com

(https://morocco-itinerary.com/who-we-are/)github.com

(https://morocco-itinerary.com/reviews/)github.com

(https://morocco-itinerary.com/contact-2/)github.com

(https://morocco-itinerary.com/terms-conditions/)github.com

(https://morocco-itinerary.com/morocco-tours-packages-2/)github.com

(https://morocco-itinerary.com/can-i-travel-to-morocco-from-usa/)github.com

(https://morocco-itinerary.com/are-4-or-5-or-7-or-10-days-enough-in-morocco/)github.com

(https://morocco-itinerary.com/what-to-do-in-morocco-for-1-week/)github.com

(https://morocco-itinerary.com/morocco-travel-itinerary-5-days/)github.com

(https://morocco-itinerary.com/moroccan-tour-morocco-trips/)github.com

(https://morocco-itinerary.com/whats-morocco-flag-history/)github.com

(https://morocco-itinerary.com/tour/full-day-tour-from-marrakech-to-ait-benhaddou-kasbah/)github.com

(https://morocco-itinerary.com/tour/private-1-day-excursion-to-essaouira-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/private-1-day-excursion-to-imlil-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/1-day-trip-to-ouzoud-waterfalls/)github.com

(https://morocco-itinerary.com/merzouga-quad-biking-around-desert/)github.com

(https://morocco-itinerary.com/tour-destination/tangier/)github.com

(https://morocco-itinerary.com/tour-destination/marrakech/)github.com

(https://morocco-itinerary.com/tour-destination/fes/)github.com

(https://morocco-itinerary.com/tour/)github.com

(https://morocco-itinerary.com/tour-destination/casablanca/)github.com

(https://morocco-itinerary.com/who-we-are/)github.com

(https://morocco-itinerary.com/reviews/)github.com

(https://morocco-itinerary.com/contact-2/)github.com

(https://morocco-itinerary.com/terms-conditions/)github.com

(https://morocco-itinerary.com/hsb/marokko-reise/)github.com

(https://morocco-itinerary.com/hsb/uber-uns-team/)github.com

(https://morocco-itinerary.com/hsb/marokko-reise/kontakt/)github.com

(https://morocco-itinerary.com/hsb/bewertungen/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/tanger/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/marrakesch/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/fes-hsb/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/casablanca-hsb/)github.com

(https://morocco-itinerary.com/it/casa/viaggi-in-marocco/)github.com

(https://morocco-itinerary.com/it/chi-siamo-il-team/)github.com

(https://morocco-itinerary.com/it/itinerario-di-10-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour-individuale-7-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour-marocco-9-giorni/)github.com

(https://morocco-itinerary.com/it/viaggio-in-marocco-5-giorni/)github.com

(https://morocco-itinerary.com/it/casa/contattateci/)github.com

(https://morocco-itinerary.com/it/recensioni/)github.com

(https://morocco-itinerary.com/it/tour-destination/tanger-it/)github.com

(https://morocco-itinerary.com/it/tour-destination/marrakech-it/)github.com

(https://morocco-itinerary.com/it/tour-destination/fez-2/)github.com

(https://morocco-itinerary.com/it/tour-destination/casablanca-it/)github.com

(https://morocco-itinerary.com/it/tour/)github.com

(https://morocco-itinerary.com/tour/5-days-morocco-tour-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/6-days-morocco-desert-tour-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-7-days/)github.com

(https://morocco-itinerary.com/tour/7-days-tour-in-morocco-from-marrakech-to-fes-via-sahara-desert/)github.com

(https://morocco-itinerary.com/tour/marrakech-trip-itinerary-in-7-days/)github.com

(https://morocco-itinerary.com/tour/8-days-morocco-tour/)github.com

(https://morocco-itinerary.com/tour/9-days-tour-in-morocco/)github.com

(https://morocco-itinerary.com/tour/10-days-in-morocco-in-november-may-april-december-september/)github.com

(https://morocco-itinerary.com/tour/10-days-tour-in-morocco/)github.com

(https://morocco-itinerary.com/tour/11-days-tour-in-morocco-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/morocco-12-days-tour-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/13-days-around-morocco-tour-from-marrakech/)github.com

(https://morocco-itinerary.com/hsb/tour/2-tage-marrakesch-wustentour/)github.com

(https://morocco-itinerary.com/hsb/tour/marrakesch-wustentour-3-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-reise-3-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marrakesch-rundreise-4-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-4-tage-ab-marrakesch/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-5-tage-von-marrakesch/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-6-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-1-woche/)github.com

(https://morocco-itinerary.com/hsb/tour/10-tage-marokko-rundreise/)github.com

(https://morocco-itinerary.com/hsb/tour/12-tage-4-konigsstadte-marokko-reise/)github.com

(https://morocco-itinerary.com/hsb/tour/2-tage-in-marokko-ab-fes-nach-merzouga/)github.com

(https://morocco-itinerary.com/hsb/tour/3-tage-marokko-reiseprogramm/)github.com

(https://morocco-itinerary.com/hsb/tour/3-tage-marokko-rundreise-individuell/)github.com

(https://morocco-itinerary.com/hsb/tour/4-tage-marokko-reise-ab-fes-nach-sahara/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-wustenreise-5-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-7-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-10-tage-individuell/)github.com

(https://morocco-itinerary.com/hsb/tour/13-tage-urlaub-marokko-reise/)github.com

(https://morocco-itinerary.com/hsb/tour/3-tage-marokko-reise/)github.com

(https://morocco-itinerary.com/hsb/tour/kleine-rundreise-ab-rabat/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-reise-8-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/rundreise-marokko-mit-badeverlangerung/)github.com

(https://morocco-itinerary.com/hsb/tour/6-tage-marokko-urlaubsreise/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-individuell-erfahrungen/)github.com

(https://morocco-itinerary.com/hsb/tour/10-tage-marokko-rundreise-kleingruppe/)github.com

(https://morocco-itinerary.com/hsb/tour/8-tage-privatreise-in-marokko/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-12-tage-ab-tanger/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-selbstfahrer/)github.com

(https://morocco-itinerary.com/hsb/tour/nord-marokko-tour-2-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/3-tage-marokko-nordreise/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-individuell-reise-4-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/bester-reiseanbieter-marokko/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-urlaub-6-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/morokko-rundreise-8-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-10-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-12-tage/)github.com

(https://morocco-itinerary.com/hsb/tour/marokko-rundreise-14-tage/)github.com
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 00:00:02 2025 UTC