PHP :: Bug #72689 :: php with curl extension segfaults for https

Bug #72689	php with curl extension segfaults for https
Submitted:	2016-07-27 18:34 UTC	Modified:	2019-04-07 04:22 UTC
From:	php at andreas-borchert dot de	Assigned:
Status:	No Feedback	Package:	cURL related
PHP Version:	5.6.24	OS:	Solaris 10
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at andreas-borchert dot de
New email:
PHP Version:		OS:

New Comment:

[2016-07-27 18:34 UTC] php at andreas-borchert dot de

Description:
------------
php 5.6.24 with curl and mysql extension segfaults when I attempt to retrieve an https document. http and other protocols work fine. Everything was built from sources using gcc 4.8.0 on a SPARC/Solaris 10 platform.

The crash can be triggered by invoking php at the command line with the test script below.

The crash occurs shortly after the SSL certificates have been read. Here is an excerpt from truss (tool similar to strace):

open64("/usr/local/gcc48/openssl/cert.pem", O_RDONLY) = 4
fstat64(4, 0xFFBFD770)                          = 0
brk(0x00DB1C40)                                 = 0
brk(0x00DC1C40)                                 = 0
fstat64(4, 0xFFBFD618)                          = 0
ioctl(4, TCGETA, 0xFFBFD6FC)                    Err#25 ENOTTY
read(4, " # #\n # #   B u n d l e".., 131072)   = 131072
brk(0x00DC1C40)                                 = 0
# ... many more brk system calls
read(4, 0x00DA070C, 131072)                     = 0
llseek(4, 0, SEEK_CUR)                          = 250615
close(4)                                        = 0
    Incurred fault #6, FLTBOUNDS  %pc = 0x004CA154
      siginfo: SIGSEGV SEGV_ACCERR addr=0xFEF57A5C
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_ACCERR addr=0xFEF57A5C

Test script:
---------------
<?php
  $ch = curl_init("https://de.wikipedia.org/wiki/Ulm");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
  if (!$content = curl_exec($ch)) {
    echo "FAILED:";
    trigger_error(curl_error($ch)); 
  } else {
    echo "OK:";
    echo $content;
  }
  curl_close($ch); 
?>

Actual result:
--------------
clonard$ gdb /usr/local/php-5.6.24/bin/php
GNU gdb (GDB) 7.5.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.6.24/bin/php...done.
(gdb) run test.php
Starting program: /usr/local/php-5.6.24/bin/php test.php
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1 (LWP 1)]
0x004ca154 in CRYPTO_add_lock ()
(gdb) where
#0  0x004ca154 in CRYPTO_add_lock ()
#1  0x004c1a7c in ssl_cert_dup ()
#2  0x004c05a4 in SSL_new ()
#3  0xfef59858 in ossl_connect_common () from /usr/local/gcc48/lib/libcurl.so.4
#4  0xfef5b268 in Curl_ssl_connect_nonblocking ()
   from /usr/local/gcc48/lib/libcurl.so.4
#5  0xfef1e148 in Curl_http_connect () from /usr/local/gcc48/lib/libcurl.so.4
#6  0xfef2cd18 in Curl_protocol_connect ()
   from /usr/local/gcc48/lib/libcurl.so.4
#7  0xfef3fad8 in multi_runsingle () from /usr/local/gcc48/lib/libcurl.so.4
#8  0xfef40678 in curl_multi_perform () from /usr/local/gcc48/lib/libcurl.so.4
#9  0xfef38344 in curl_easy_perform () from /usr/local/gcc48/lib/libcurl.so.4
#10 0x0019c99c in zif_curl_exec (ht=1, return_value=0xb57a28, 
    return_value_ptr=0xb3c87c, this_ptr=0x0, 
    return_value_used=<optimized out>, tsrm_ls=0xb391f0)
    at /var/playground/ULMphp/src/php-5.6.24/ext/curl/interface.c:2986
#11 0x00496574 in zend_do_fcall_common_helper_SPEC (execute_data=0xb3c8d8, 
    tsrm_ls=0xb391f0)
    at /var/playground/ULMphp/src/php-5.6.24/Zend/zend_vm_execute.h:558
#12 0x00410e6c in execute_ex (execute_data=0xb3c8d8, tsrm_ls=0xb391f0)
    at /var/playground/ULMphp/src/php-5.6.24/Zend/zend_vm_execute.h:363
#13 0x00493e90 in zend_execute (op_array=0xb57390, 
    tsrm_ls=tsrm_ls@entry=0xb391f0)
---Type <return> to continue, or q <return> to quit---
    at /var/playground/ULMphp/src/php-5.6.24/Zend/zend_vm_execute.h:388
#14 0x003d3d9c in zend_execute_scripts (type=type@entry=8, 
    tsrm_ls=tsrm_ls@entry=0xb391f0, retval=retval@entry=0x0, 
    file_count=file_count@entry=3)
    at /var/playground/ULMphp/src/php-5.6.24/Zend/zend.c:1341
#15 0x00359cb0 in php_execute_script (
    primary_file=primary_file@entry=0xffbfee48, tsrm_ls=tsrm_ls@entry=0xb391f0)
    at /var/playground/ULMphp/src/php-5.6.24/main/main.c:2613
#16 0x0049875c in do_cli (argc=2, argv=0xb391a8, tsrm_ls=0xb391f0)
    at /var/playground/ULMphp/src/php-5.6.24/sapi/cli/php_cli.c:994
#17 0x0005cdf0 in main (argc=2, argv=<optimized out>)
    at /var/playground/ULMphp/src/php-5.6.24/sapi/cli/php_cli.c:1378
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-26 16:35 UTC] mike@php.net

-Status: Open +Status: Feedback

[2019-03-26 16:35 UTC] mike@php.net

Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

[2019-04-07 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 14:01:30 2024 UTC