php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79078 Hypothetical use-after-free in curl_multi_add_handle()
Submitted: 2020-01-08 10:48 UTC Modified: 2020-01-08 17:45 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3Git-2020-01-08 (Git) OS: *
Private report: No CVE-ID: None
 [2020-01-08 10:48 UTC] cmb@php.net
Description:
------------
If a curl resource which has CURLOPT_VERBOSE enabled, and
CURLOPT_STDERR set to a stream which has been prematurely closed
is passed to curl_multi_add_handle(), depending on the libcurl
version, there may be an use-after-free.

Since this requires debugging features (CURLOPT_VERBOSE) and a
rather serious programming error, this is not a security bug.


Test script:
---------------
php -i | grep cURL
php run-tests.php -m ext/curl/tests/bug48203_multi.phpt > /dev/null 2>&1
cat ext/curl/tests/bug48203_multi.mem


Expected result:
----------------
cURL support => enabled
cURL Information => 7.64.0
cat: ext/curl/bug48203_multi.mem: No such file or directory


Actual result:
--------------
cURL support => enabled
cURL Information => 7.64.0
==30168== Invalid read of size 4
==30168==    at 0x6C0CF6E: fwrite (iofwrite.c:37)
==30168==    by 0x5BC806C: Curl_debug (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BC81E5: Curl_infof (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE04A1: Curl_expire (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE07A9: curl_multi_add_handle (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x2812B5: zif_curl_multi_add_handle (multi.c:100)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Address 0x7990500 is 0 bytes inside a block of size 552 free'd
==30168==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30168==    by 0x6C0BC41: fclose@@GLIBC_2.2.5 (iofclose.c:84)
==30168==    by 0x362197: php_stdiop_close (plain_wrapper.c:464)
==30168==    by 0x35D277: _php_stream_free (streams.c:466)
==30168==    by 0x2E74B0: zif_fclose (file.c:920)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Block was alloc'd at
==30168==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30168==    by 0x6C0BE52: fdopen@@GLIBC_2.2.5 (iofdopen.c:139)
==30168==    by 0x362077: php_stdiop_cast (plain_wrapper.c:559)
==30168==    by 0x35FB0F: _php_stream_cast (cast.c:220)
==30168==    by 0x27C9E0: _php_curl_setopt (interface.c:2562)
==30168==    by 0x27E04F: zif_curl_setopt_array (interface.c:3125)
==30168==    by 0x42CDEC: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:819)
==30168==    by 0x42CDEC: execute_ex (zend_vm_execute.h:55519)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
<snip>

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-08 10:48 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2020-01-08 10:55 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()
On GitHub:  https://github.com/php/php-src/pull/5064
Patch:      https://github.com/php/php-src/pull/5064.patch
 [2020-01-08 10:55 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2020-01-08 17:44 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0dda4a844e63ccbcff1053fff65649dab0fd348f
Log: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()
 [2020-01-08 17:44 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2020-01-08 17:45 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 13:01:27 2024 UTC