Sec Bug->Bug #62008 [Opn]: signal 6 in curl_multi_fdset

[stas]

Edit report at https://bugs.php.net/bug.php?id=62008&edit=1

 ID:                 62008
 Updated by:         s...@php.net
 Reported by:        steve at dirtyandroid dot com
-Summary:            Buffer Overflow
+Summary:            signal 6 in curl_multi_fdset
 Status:             Open
-Type:               Security
+Type:               Bug
-Package:            *General Issues
+Package:            cURL related
 Operating System:   Ubuntu Precise
 PHP Version:        5.3.10-1ubuntu3.1 with Suhosin-Patch (cli) (built:
                     May  4 2012 02:20:36)
 Block user comment: N
 Private report:     Y



Previous Comments:
------------------------------------------------------------------------
[2012-05-30 19:47:28] steve at dirtyandroid dot com

I've got a backtrace. I've realised that it does in fact crash on particular 
jobs, rather than randomly after a load of them. Any fixes or workarounds are 
immensely welcome, this is causing an untold amount of pain for me.

Program terminated with signal 6, Aborted.
#0  0x00007f1ee5839445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f1ee5839445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f1ee583cbab in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f1ee5876e2e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f1ee590c007 in __fortify_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f1ee590af00 in __chk_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007f1ee590bfbe in __fdelt_warn () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x00007f1ee4d2b33b in curl_multi_fdset () from 
/usr/lib/x86_64-linux-gnu/libcurl.so.4
#7  0x00007f1ee4f5ca45 in zif_curl_multi_select (ht=19794, 
return_value=0x3609b28, return_value_ptr=0x6, this_ptr=0xffffffffffffffff, 
return_value_used=-443070624) at /build/buildd/php5-5.3.10/ext/curl/multi.c:193
#8  0x000000000070f77d in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7f1ee014a8c0) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:320
#9  0x00000000006c02eb in execute (op_array=0x1535b68) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:107
#10 0x000000000068d82c in zend_call_function (fci=0x7fffbe3b8600, 
fci_cache=0x7f1ee0147d68) at 
/build/buildd/php5-5.3.10/Zend/zend_execute_API.c:969
#11 0x00000000005cfeb1 in zif_call_user_func (ht=19794, return_value=0x18b9ff0, 
return_value_ptr=0x6, this_ptr=0xffffffffffffffff, 
return_value_used=-443070624) at 
/build/buildd/php5-5.3.10/ext/standard/basic_functions.c:4778
#12 0x000000000070f77d in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7f1ee0147d68) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:320
#13 0x00000000006c02eb in execute (op_array=0x12fae50) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:107
#14 0x000000000068d82c in zend_call_function (fci=0x7fffbe3b88f0, 
fci_cache=0x7f1ee01479a0) at 
/build/buildd/php5-5.3.10/Zend/zend_execute_API.c:969
#15 0x00000000005cfeb1 in zif_call_user_func (ht=19794, return_value=0x18bf778, 
return_value_ptr=0x6, this_ptr=0xffffffffffffffff, 
return_value_used=-443070624) at 
/build/buildd/php5-5.3.10/ext/standard/basic_functions.c:4778
#16 0x000000000070f77d in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7f1ee01479a0) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:320
#17 0x00000000006c02eb in execute (op_array=0x12e6440) at 
/build/buildd/php5-5.3.10/Zend/zend_vm_execute.h:107
#18 0x000000000069b850 in zend_execute_scripts (type=0, retval=0x800000000, 
file_count=3) at /build/buildd/php5-5.3.10/Zend/zend.c:1308
#19 0x0000000000647f03 in php_execute_script (primary_file=0x7f1ee583def6) at 
/build/buildd/php5-5.3.10/main/main.c:2323
#20 0x000000000042c797 in main (argc=32767, argv=0x7fffbe3bbe1a) at 
/build/buildd/php5-5.3.10/sapi/cli/php_cli.c:1188

Curl stuff from phpinfo:

cURL support => enabled
cURL Information => 7.22.0
Age => 3
Features
AsynchDNS => No
Debug => No
GSS-Negotiate => Yes
IDN => Yes
IPv6 => Yes
Largefile => Yes
NTLM => Yes
SPNEGO => No
SSL => Yes
SSPI => No
krb4 => No
libz => Yes
CharConv => No
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, 
pop3, pop3s, rtmp, rtsp, smtp, smtps, telnet, tftp
Host => x86_64-pc-linux-gnu
SSL Version => OpenSSL/1.0.1
ZLib Version => 1.2.3.4

------------------------------------------------------------------------
[2012-05-15 14:17:17] steve at dirtyandroid dot com

Sure, I'll give it a go when I get a chance, probably later this week.

------------------------------------------------------------------------
[2012-05-15 13:46:34] tony2...@php.net

Could you pls try to get a decent GDB backtrace?
See instructions here: https://bugs.php.net/bugs-generating-backtrace.php

------------------------------------------------------------------------
[2012-05-13 15:11:19] steve at dirtyandroid dot com

I'm sorry but I have no idea what in my >20k line codebase is triggering this, 
and thus can't give you an example script.

------------------------------------------------------------------------
[2012-05-13 14:46:37] fel...@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.



------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=62008


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62008&edit=1