php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81597 curl SIGSEGV with PROGRESS
Submitted: 2021-11-08 09:01 UTC Modified: 2024-07-28 04:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: erik at coretech dot se Assigned: cmb (profile)
Status: No Feedback Package: cURL related
PHP Version: 8.0.12 OS:
Private report: No CVE-ID: None
 [2021-11-08 09:01 UTC] erik at coretech dot se
Description:
------------
PHP crashes randomly with SIGSEGV (about 1/2 of the times) when the code below is executed.

==805465== Thread 2:
==805465== Jump to the invalid address stated on the next line
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)
==805465==  Address 0xa08e150 is not stack'd, malloc'd or (recently) free'd
==805465== 
==805465== 
==805465== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==805465==  Access not within mapped region at address 0xA08E150
==805465==    at 0xA08E150: ???
==805465==    by 0x82DC159: start_thread (in /usr/lib64/libpthread-2.28.so)
==805465==    by 0x800BDD2: clone (in /usr/lib64/libc-2.28.so)


Test script:
---------------
<?php

class curltest {

        public function start() {

                $this->ch = curl_init();

                $urlstr = "https://www.php.net/distributions/php-8.0.12.tar.gz";

                curl_setopt($this->ch, CURLOPT_URL, $urlstr);
                curl_setopt($this->ch, CURLOPT_RETURNTRANSFER, FALSE);
                curl_setopt($this->ch, CURLOPT_WRITEFUNCTION, array($this, 'do_write'));
                curl_setopt($this->ch, CURLOPT_PROGRESSFUNCTION, array($this, 'do_progress'));
                curl_setopt($this->ch, CURLOPT_NOPROGRESS, FALSE);
                curl_setopt($this->ch, CURLOPT_NOSIGNAL, TRUE);

                $ret = curl_exec($this->ch);
        }

	private function do_write($ch, $data) {
                return strlen($data);
        }

	private function do_progress($ch, $a = NULL, $b = NULL, $c = NULL, $d = NULL) {
                return 1;
        }

}

$c = new curltest();
$c->start();


Expected result:
----------------
No crash

Actual result:
--------------
Crashes with SIGSEGV

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-08 09:08 UTC] nikic@php.net
I can't reproduce this with libcurl 7.68.0 (no crash or warnings under valgrind).

Which version of curl are you using?
 [2021-11-08 09:16 UTC] erik at coretech dot se
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0

This is the version shipped with Rocky8
 [2021-11-13 06:00 UTC] camporter1 at gmail dot com
An occasional segfault is reproducible for me on rocky linux 8.4 x86_64.

Enabled remirepo for 8.0 since php 8.0 isn't provided by the distro.

Trace:

{   "signal": 11
,   "executable": "/usr/bin/php"
,   "stacktrace":
      [ {   "crash_thread": true
        ,   "frames":
              [ {   "address": 140011838288336
                ,   "build_id_offset": 140011838288336
                } ]
        }
      , {   "frames":
              [ {   "address": 140011872431189
                ,   "build_id": "296658ed4f68231cb3ef55ded9b584404deed520"
                ,   "build_id_offset": 535637
                ,   "function_name": "_int_free"
                ,   "file_name": "/lib64/libc.so.6"
                }
              , {   "address": 94252436834069
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2942741
                ,   "function_name": "zend_hash_destroy"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252437279985
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 3388657
                ,   "function_name": "zend_interned_strings_dtor"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252436355664
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 2464336
                ,   "function_name": "php_module_shutdown"
                ,   "file_name": "/usr/bin/php"
                }
              , {   "address": 94252435012844
                ,   "build_id": "d65e2b1adddfb386f79a94fc816aea6cdf5c5ee5"
                ,   "build_id_offset": 1121516
                ,   "function_name": "main"
                ,   "file_name": "/usr/bin/php"
                } ]
        } ]
}
 [2024-07-19 21:30 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2024-07-19 21:30 UTC] cmb@php.net
Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>
 [2024-07-28 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 22:01:31 2024 UTC