php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81597 curl SIGSEGV with PROGRESS
Submitted: 2021-11-08 09:01 UTC Modified: 2021-11-08 09:08 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: erik at coretech dot se Assigned:
Status: Open Package: cURL related
PHP Version: 8.0.12 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-08 09:01 UTC] erik at coretech dot se
Description:
------------
PHP crashes randomly with SIGSEGV (about 1/2 of the times) when the code below is executed.

==805465== Thread 2:
==805465== Jump to the invalid address stated on the next line
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)
==805465==  Address 0xa08e150 is not stack'd, malloc'd or (recently) free'd
==805465== 
==805465== 
==805465== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==805465==  Access not within mapped region at address 0xA08E150
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)


Test script:
---------------
<?php

class curltest {

        public function start() {

                $this->ch = curl_init();

                $urlstr = "https://www.php.net/distributions/php-8.0.12.tar.gz";

                curl_setopt($this->ch, CURLOPT_URL, $urlstr);
                curl_setopt($this->ch, CURLOPT_RETURNTRANSFER, FALSE);
                curl_setopt($this->ch, CURLOPT_WRITEFUNCTION, array($this, 'do_write'));
                curl_setopt($this->ch, CURLOPT_PROGRESSFUNCTION, array($this, 'do_progress'));
                curl_setopt($this->ch, CURLOPT_NOPROGRESS, FALSE);
                curl_setopt($this->ch, CURLOPT_NOSIGNAL, TRUE);

                $ret = curl_exec($this->ch);
        }

	private function do_write($ch, $data) {
                return strlen($data);
        }

	private function do_progress($ch, $a = NULL, $b = NULL, $c = NULL, $d = NULL) {
                return 1;
        }

}

$c = new curltest();
$c->start();


Expected result:
----------------
No crash

Actual result:
--------------
Crashes with SIGSEGV

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-08 09:08 UTC] nikic@php.net
I can't reproduce this with libcurl 7.68.0 (no crash or warnings under valgrind).

Which version of curl are you using?
 [2021-11-08 09:16 UTC] erik at coretech dot se
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0

This is the version shipped with Rocky8
 [2021-11-13 06:00 UTC] camporter1 at gmail dot com
An occasional segfault is reproducible for me on rocky linux 8.4 x86_64.

Enabled remirepo for 8.0 since php 8.0 isn't provided by the distro.

Trace:

{   "signal": 11
,   "executable": "/usr/bin/php"
,   "stacktrace":
      [ {   "crash_thread": true
        ,   "frames":
              [ {   "address": 140011838288336
                ,   "build_id_offset": 140011838288336
                } ]
        }
      , {   "frames":
              [ {   "address": 140011872431189
                ,   "build_id": "296658ed4f68231cb3ef55ded9b584404deed520"
                ,   "build_id_offset": 535637
                ,   "function_name": "_int_free"
                ,   "file_name": "/lib64/libc.so.6"
                }
              , {   "address": 94252436834069
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2942741
                ,   "function_name": "zend_hash_destroy"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252437279985
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 3388657
                ,   "function_name": "zend_interned_strings_dtor"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252436355664
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2464336
                ,   "function_name": "php_module_shutdown"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252435012844
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 1121516
                ,   "function_name": "main"
                ,   "file_name": "/usr/bin/php"
                } ]
        } ]
}
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Aug 19 08:04:05 2022 UTC