php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79078 Hypothetical use-after-free in curl_multi_add_handle()
Submitted: 2020-01-08 10:48 UTC Modified: 2020-01-08 17:45 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3Git-2020-01-08 (Git) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2020-01-08 10:48 UTC] cmb@php.net
Description:
------------
If a curl resource which has CURLOPT_VERBOSE enabled, and
CURLOPT_STDERR set to a stream which has been prematurely closed
is passed to curl_multi_add_handle(), depending on the libcurl
version, there may be an use-after-free.

Since this requires debugging features (CURLOPT_VERBOSE) and a
rather serious programming error, this is not a security bug.


Test script:
---------------
php -i | grep cURL
php run-tests.php -m ext/curl/tests/bug48203_multi.phpt > /dev/null 2>&1
cat ext/curl/tests/bug48203_multi.mem


Expected result:
----------------
cURL support => enabled
cURL Information => 7.64.0
cat: ext/curl/bug48203_multi.mem: No such file or directory


Actual result:
--------------
cURL support => enabled
cURL Information => 7.64.0
==30168== Invalid read of size 4
==30168==    at 0x6C0CF6E: fwrite (iofwrite.c:37)
==30168==    by 0x5BC806C: Curl_debug (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BC81E5: Curl_infof (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE04A1: Curl_expire (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x5BE07A9: curl_multi_add_handle (in /home/cmb/curl/lib/libcurl.so.4.5.0)
==30168==    by 0x2812B5: zif_curl_multi_add_handle (multi.c:100)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Address 0x7990500 is 0 bytes inside a block of size 552 free'd
==30168==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30168==    by 0x6C0BC41: fclose@@GLIBC_2.2.5 (iofclose.c:84)
==30168==    by 0x362197: php_stdiop_close (plain_wrapper.c:464)
==30168==    by 0x35D277: _php_stream_free (streams.c:466)
==30168==    by 0x2E74B0: zif_fclose (file.c:920)
==30168==    by 0x426867: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:649)
==30168==    by 0x426867: execute_ex (zend_vm_execute.h:55503)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
==30168==  Block was alloc'd at
==30168==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30168==    by 0x6C0BE52: fdopen@@GLIBC_2.2.5 (iofdopen.c:139)
==30168==    by 0x362077: php_stdiop_cast (plain_wrapper.c:559)
==30168==    by 0x35FB0F: _php_stream_cast (cast.c:220)
==30168==    by 0x27C9E0: _php_curl_setopt (interface.c:2562)
==30168==    by 0x27E04F: zif_curl_setopt_array (interface.c:3125)
==30168==    by 0x42CDEC: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:819)
==30168==    by 0x42CDEC: execute_ex (zend_vm_execute.h:55519)
==30168==    by 0x42EFBF: zend_execute (zend_vm_execute.h:60939)
==30168==    by 0x3A529A: zend_execute_scripts (zend.c:1568)
==30168==    by 0x344E1F: php_execute_script (main.c:2639)
==30168==    by 0x43130D: do_cli (php_cli.c:997)
==30168==    by 0x1E74CC: main (php_cli.c:1389)
<snip>

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-08 10:48 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2020-01-08 10:55 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()
On GitHub:  https://github.com/php/php-src/pull/5064
Patch:      https://github.com/php/php-src/pull/5064.patch
 [2020-01-08 10:55 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2020-01-08 17:44 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0dda4a844e63ccbcff1053fff65649dab0fd348f
Log: Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()
 [2020-01-08 17:44 UTC] cmb@php.net
-Status: Open +Status: Closed
 [2020-01-08 17:45 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 20:01:29 2024 UTC