PHP :: Bug #79078 :: Hypothetical use-after-free in curl_multi_add

Bug #79078	Hypothetical use-after-free in curl_multi_add_handle()
Submitted:	2020-01-08 10:48 UTC	Modified:	2020-01-08 17:45 UTC
From:	cmb@php.net	Assigned:	cmb (profile)
Status:	Closed	Package:	cURL related
PHP Version:	7.3Git-2020-01-08 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmb@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-01-08 10:48 UTC] cmb@php.net

Description:
------------
If a curl resource which has CURLOPT_VERBOSE enabled, and
CURLOPT_STDERR set to a stream which has been prematurely closed
is passed to curl_multi_add_handle(), depending on the libcurl
version, there may be an use-after-free.

Since this requires debugging features (CURLOPT_VERBOSE) and a
rather serious programming error, this is not a security bug.


Test script:
---------------
php -i | grep cURL
php run-tests.php -m ext/curl/tests/bug48203_multi.phpt > /dev/null 2>&1
cat ext/curl/tests/bug48203_multi.mem


Expected result:
----------------
cURL support => enabled
cURL Information => 7.64.0
cat: ext/curl/bug48203_multi.mem: No such file or directory


Actual result:
--------------
cURL support => enabled
cURL Information => 7.64.0
==30168== Invalid read of size 4
==30168==    at 0x6C0CF6E: fwrite (iofwrite.c:37)
==30168==    by 0x5BC806C: Curl_debug (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BC81E5: Curl_infof (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE04A1: Curl_expire (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE07A9: curl_multi_add_handle (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x2812B5: zif_curl_multi_add_handle (multi.c:100)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Address 0x7990500 is 0 bytes inside a block of size 552 free'd
==30168==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30168==    by 0x6C0BC41: fclose@@GLIBC_2.2.5 (iofclose.c:84)
==30168==    by 0x362197: php_stdiop_close (plain_wrapper.c:464)
==30168==    by 0x35D277: _php_stream_free (streams.c:466)
==30168==    by 0x2E74B0: zif_fclose (file.c:920)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Block was alloc'd at
==30168==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30168==    by 0x6C0BE52: fdopen@@GLIBC_2.2.5 (iofdopen.c:139)
==30168==    by 0x362077: php_stdiop_cast (plain_wrapper.c:559)
==30168==    by 0x35FB0F: _php_stream_cast (cast.c:220)
==30168==    by 0x27C9E0: _php_curl_setopt (interface.c:2562)
==30168==    by 0x27E04F: zif_curl_setopt_array (interface.c:3125)
==30168==    by 0x42CDEC: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:819)
==30168==    by 0x42CDEC: execute_ex (zend_vm_execute.h:55519)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
<snip>

Patches

Pull Requests

Pull requests:

Fix #79078: Hypothetical use-after-free in curl_multi_add_handle() (php-src/5064)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-01-08 10:48 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2020-01-08 10:55 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()
On GitHub:  https://github.com/php/php-src/pull/5064
Patch:      https://github.com/php/php-src/pull/5064.patch

[2020-01-08 10:55 UTC] cmb@php.net

-Assigned To: cmb +Assigned To:

[2020-01-08 17:44 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0dda4a844e63ccbcff1053fff65649dab0fd348f
Log: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()

[2020-01-08 17:44 UTC] cmb@php.net

-Status: Open +Status: Closed

[2020-01-08 17:45 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC