PHP :: Bug #81597 :: curl SIGSEGV with PROGRESS

Bug #81597

curl SIGSEGV with PROGRESS

Submitted:

2021-11-08 09:01 UTC

Modified:

2024-07-28 04:22 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

erik at coretech dot se

Assigned:

cmb (profile)

Status:

No Feedback

Package:

cURL related

PHP Version:

8.0.12

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	erik at coretech dot se
New email:
PHP Version:		OS:

New Comment:

[2021-11-08 09:01 UTC] erik at coretech dot se

Description:
------------
PHP crashes randomly with SIGSEGV (about 1/2 of the times) when the code below is executed.

==805465== Thread 2:
==805465== Jump to the invalid address stated on the next line
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)
==805465==  Address 0xa08e150 is not stack'd, malloc'd or (recently) free'd
==805465== 
==805465== 
==805465== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==805465==  Access not within mapped region at address 0xA08E150
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)


Test script:
---------------
<?php

class curltest {

        public function start() {

                $this->ch = curl_init();

                $urlstr = "https://www.php.net/distributions/php-8.0.12.tar.gz";

                curl_setopt($this->ch, CURLOPT_URL, $urlstr);
                curl_setopt($this->ch, CURLOPT_RETURNTRANSFER, FALSE);
                curl_setopt($this->ch, CURLOPT_WRITEFUNCTION, array($this, 'do_write'));
                curl_setopt($this->ch, CURLOPT_PROGRESSFUNCTION, array($this, 'do_progress'));
                curl_setopt($this->ch, CURLOPT_NOPROGRESS, FALSE);
                curl_setopt($this->ch, CURLOPT_NOSIGNAL, TRUE);

                $ret = curl_exec($this->ch);
        }

	private function do_write($ch, $data) {
                return strlen($data);
        }

	private function do_progress($ch, $a = NULL, $b = NULL, $c = NULL, $d = NULL) {
                return 1;
        }

}

$c = new curltest();
$c->start();


Expected result:
----------------
No crash

Actual result:
--------------
Crashes with SIGSEGV

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-11-08 09:08 UTC] nikic@php.net

I can't reproduce this with libcurl 7.68.0 (no crash or warnings under valgrind).

Which version of curl are you using?

[2021-11-08 09:16 UTC] erik at coretech dot se

curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0

This is the version shipped with Rocky8

[2021-11-13 06:00 UTC] camporter1 at gmail dot com

An occasional segfault is reproducible for me on rocky linux 8.4 x86_64.

Enabled remirepo for 8.0 since php 8.0 isn't provided by the distro.

Trace:

{   "signal": 11
,   "executable": "/usr/bin/php"
,   "stacktrace":
      [ {   "crash_thread": true
        ,   "frames":
              [ {   "address": 140011838288336
                ,   "build_id_offset": 140011838288336
                } ]
        }
      , {   "frames":
              [ {   "address": 140011872431189
                ,   "build_id": "296658ed4f68231cb3ef55ded9b584404deed520"
                ,   "build_id_offset": 535637
                ,   "function_name": "_int_free"
                ,   "file_name": "/lib64/libc.so.6"
                }
              , {   "address": 94252436834069
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2942741
                ,   "function_name": "zend_hash_destroy"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252437279985
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 3388657
                ,   "function_name": "zend_interned_strings_dtor"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252436355664
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2464336
                ,   "function_name": "php_module_shutdown"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252435012844
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 1121516
                ,   "function_name": "main"
                ,   "file_name": "/usr/bin/php"
                } ]
        } ]
}

[2024-07-19 21:30 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2024-07-19 21:30 UTC] cmb@php.net

Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>

[2024-07-28 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC