|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81428 Crash with cycle containing a curl_multi_handle
Submitted: 2021-09-09 16:21 UTC Modified: 2021-09-23 13:03 UTC
From: Assigned:
Status: Open Package: cURL related
PHP Version: 8.0.10 OS: Ubuntu
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-09-09 16:21 UTC]
Executing a curl_multi_cleanup() on a multi handle holding references to an already freed easy handle is not allowed.

This issue only appears in a cycle, where the destruction order guarantees (i.e. adding easy handle to multi handle increases RC of easy handle) are not upheld.

The issue exists in PHP 8.0+, when a proper get_gc handle was added for curl handles.

Test script:

// inspired from ext/curl/tests/bug77535.phpt

class MyHttpClient
    private $mh;

    public function sendRequest()
        $this->mh = curl_multi_init();

	$curl = curl_init();
	curl_setopt($curl, CURLOPT_URL, '');
	curl_setopt($curl, CURLOPT_WRITEFUNCTION, function ($ch, $data) {
            return \strlen($data); // Closure preserves $this reference, creates cycle

	curl_multi_setopt($this->mh, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
        curl_multi_setopt($this->mh, CURLMOPT_PUSHFUNCTION, function() { return CURL_PUSH_OK; });
        curl_multi_add_handle($this->mh, $curl);

	while (curl_multi_exec($this->mh, $s) === CURLM_CALL_MULTI_PERFORM || curl_multi_info_read($this->mh) === false);

$buzz = new MyHttpClient();

Expected result:
No segfault

Actual result:
Segfault, valgrind output:

==21019== Invalid write of size 1
==21019==    at 0x52367B4: Curl_http_done (http.c:1551)
==21019==    by 0x5256CF7: multi_done (multi.c:560)
==21019==    by 0x5256FC9: curl_multi_cleanup (multi.c:2270)
==21019==    by 0x436334: curl_multi_free_obj (multi.c:551)
==21019==    by 0x92B9E8: zend_objects_store_del (zend_objects_API.c:200)
==21019==    by 0x849172: rc_dtor_func (zend_variables.c:57)
==21019==    by 0x92409C: i_zval_ptr_dtor (zend_variables.h:44)
==21019==    by 0x924563: zend_object_std_dtor (zend_objects.c:70)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==  Address 0x8eb2d61 is 5,089 bytes inside a block of size 6,304 free'd
==21019==    at 0x48369AB: free (in /usr/lib/x86_64-linux-gnu/valgrind/
==21019==    by 0x5242B8B: Curl_close (url.c:397)
==21019==    by 0x524F88C: curl_easy_cleanup (easy.c:826)
==21019==    by 0x431D1A: curl_free_obj (interface.c:3446)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==    by 0x7B5A5E: php_request_shutdown (main.c:1831)
==21019==    by 0x9AC2B7: do_cli (php_cli.c:1135)
==21019==    by 0x9ACA17: main (php_cli.c:1367)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-15 10:36 UTC]
I cannot reproduce this bug... And, the security here should be guaranteed by libcurl, right? When we call curl_easy_cleanup(), libcurl will remove the easy handle from multi by curl_multi_remove_handle(), then the multi should no longer access the easy handle which has been released anymore.
 [2021-09-23 12:58 UTC]
For some reason this just hangs when I run it under valgrind :/
 [2021-09-23 13:03 UTC]
It eventually ran through, but I'm also not seeing any use after free.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Oct 02 06:05:52 2022 UTC