php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81428 Crash with cycle containing a curl_multi_handle
Submitted: 2021-09-09 16:21 UTC Modified: 2021-09-23 13:03 UTC
From: bwoebi@php.net Assigned:
Status: Open Package: cURL related
PHP Version: 8.0.10 OS: Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bwoebi@php.net
New email:
PHP Version: OS:

 

 [2021-09-09 16:21 UTC] bwoebi@php.net
Description:
------------
Executing a curl_multi_cleanup() on a multi handle holding references to an already freed easy handle is not allowed.

This issue only appears in a cycle, where the destruction order guarantees (i.e. adding easy handle to multi handle increases RC of easy handle) are not upheld.

The issue exists in PHP 8.0+, when a proper get_gc handle was added for curl handles.

Test script:
---------------
<?php

// inspired from ext/curl/tests/bug77535.phpt

class MyHttpClient
{
    private $mh;

    public function sendRequest()
    {
        $this->mh = curl_multi_init();

	$curl = curl_init();
	curl_setopt($curl, CURLOPT_URL, 'https://http2.golang.org/serverpush');
	curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
	curl_setopt($curl, CURLOPT_WRITEFUNCTION, function ($ch, $data) {
            return \strlen($data); // Closure preserves $this reference, creates cycle
	});

	curl_multi_setopt($this->mh, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
        curl_multi_setopt($this->mh, CURLMOPT_PUSHFUNCTION, function() { return CURL_PUSH_OK; });
        curl_multi_add_handle($this->mh, $curl);

	while (curl_multi_exec($this->mh, $s) === CURLM_CALL_MULTI_PERFORM || curl_multi_info_read($this->mh) === false);
	gc_collect_cycles();
    }
}

$buzz = new MyHttpClient();
$buzz->sendRequest();

Expected result:
----------------
No segfault

Actual result:
--------------
Segfault, valgrind output:

==21019== Invalid write of size 1
==21019==    at 0x52367B4: Curl_http_done (http.c:1551)
==21019==    by 0x5256CF7: multi_done (multi.c:560)
==21019==    by 0x5256FC9: curl_multi_cleanup (multi.c:2270)
==21019==    by 0x436334: curl_multi_free_obj (multi.c:551)
==21019==    by 0x92B9E8: zend_objects_store_del (zend_objects_API.c:200)
==21019==    by 0x849172: rc_dtor_func (zend_variables.c:57)
==21019==    by 0x92409C: i_zval_ptr_dtor (zend_variables.h:44)
==21019==    by 0x924563: zend_object_std_dtor (zend_objects.c:70)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==  Address 0x8eb2d61 is 5,089 bytes inside a block of size 6,304 free'd
==21019==    at 0x48369AB: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==21019==    by 0x5242B8B: Curl_close (url.c:397)
==21019==    by 0x524F88C: curl_easy_cleanup (easy.c:826)
==21019==    by 0x431D1A: curl_free_obj (interface.c:3446)
==21019==    by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588)
==21019==    by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367)
==21019==    by 0x834741: shutdown_executor (zend_execute_API.c:391)
==21019==    by 0x84BA53: zend_deactivate (zend.c:1259)
==21019==    by 0x7B5A5E: php_request_shutdown (main.c:1831)
==21019==    by 0x9AC2B7: do_cli (php_cli.c:1135)
==21019==    by 0x9ACA17: main (php_cli.c:1367)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-15 10:36 UTC] twosee@php.net
I cannot reproduce this bug... And, the security here should be guaranteed by libcurl, right? When we call curl_easy_cleanup(), libcurl will remove the easy handle from multi by curl_multi_remove_handle(), then the multi should no longer access the easy handle which has been released anymore.
 [2021-09-23 12:58 UTC] nikic@php.net
For some reason this just hangs when I run it under valgrind :/
 [2021-09-23 13:03 UTC] nikic@php.net
It eventually ran through, but I'm also not seeing any use after free.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 25 17:03:33 2021 UTC