curl segfault

[ro0NL]

Description

The following code:

$ cat composer.json 
{
    "require": {
        "symfony/http-client": "^6.4"
    }
}

<?php

require 'vendor/autoload.php';

use Symfony\Component\HttpClient\HttpClient;

$c = HttpClient::create();
$r = $c->request('GET', 'https://www.dubarry.com/eu/nl/search?sSearch=386922_40');

var_dump($r->getStatusCode());

Resulted in this output:

I have no name!@f6e21ecae0c6:/app$ php test.php 
int(200)
I have no name!@f6e21ecae0c6:/app$ php test.php 
Segmentation fault (core dumped)
I have no name!@f6e21ecae0c6:/app$ php test.php 
Segmentation fault (core dumped)
I have no name!@f6e21ecae0c6:/app$ php test.php 
Segmentation fault (core dumped)
I have no name!@f6e21ecae0c6:/app$ php test.php 
Segmentation fault (core dumped)
I have no name!@f6e21ecae0c6:/app$ php test.php 
Segmentation fault (core dumped)
I have no name!@f6e21ecae0c6:/app$ php test.php 
int(200)

But I expected this output instead:

only integers

The relevant symfony issue is at symfony/symfony#54796

Last trace is https://github.com/symfony/symfony/blob/c168c2c137acee438463fcde2df1685cf74ff623/src/Symfony/Component/HttpClient/Response/CurlResponse.php#L288

PHP Version

PHP 8.1.28

Operating System

Linux f6e21ecae0c6 6.5.0-28-generic #29~22.04.1-Ubuntu

[nielsdos]

I can't reproduce this. I'm using a more modern version of curl however: 8.7.1.

Can you please answer the following questions:

• What extension do you have enabled?
• If you have opcache enabled, does it reproduce e.g. with opcache disabled?
• Do you know if it reproduces with a more modern curl version?
• Can you please try running gdb --args php test.php and provide the backtrace (using bt) of the crash?

It's also possible that I need a specific version of the page to reproduce the error. I can see that the page I'm getting is definitely translated to my locale, so this could influence my results too.

[ro0NL]

Thanks for info, i got a stacktrace, and, well, ehm 🙇

I have no name!@909cbec469d2:/app$ gdb php
GNU gdb (Debian 13.1-3) 13.1
...
Reading symbols from php...
(No debugging symbols found in php)
(gdb) run test.php 
Starting program: /usr/local/bin/php test.php
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7a3a3eb626c0 (LWP 308)]
[Thread 0x7a3a3eb626c0 (LWP 308) exited]

Thread 1 "php" received signal SIGSEGV, Segmentation fault.
0x00007a3a47fd7937 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007a3a47fd7937 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007a3a4814275c in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#2  0x00007a3a47c072ca in nghttp2_session_mem_recv () from /lib/x86_64-linux-gnu/libnghttp2.so.14
#3  0x00007a3a48141207 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#4  0x00007a3a48141df7 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#5  0x00007a3a4815edd9 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#6  0x00007a3a48171aa9 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#7  0x00007a3a48154fd4 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#8  0x00007a3a481563b6 in curl_multi_perform () from /lib/x86_64-linux-gnu/libcurl.so.4
#9  0x0000612f0931ca18 in ?? ()
#10 0x00007a3a44da2768 in bf_overwrite_call_original_handler () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#11 0x00007a3a44d96ba7 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#12 0x0000612f0923a099 in ?? ()
#13 0x0000612f0923aee2 in ?? ()
#14 0x00007a3a44d9c0c0 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#15 0x0000612f0923a009 in ?? ()
#16 0x0000612f0923aee2 in ?? ()
#17 0x00007a3a44d9c0c0 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#18 0x0000612f095b60e2 in zend_generator_resume ()
#19 0x0000612f095b6c89 in ?? ()
#20 0x0000612f09551f46 in ?? ()
#21 0x0000612f09564a73 in ?? ()
#22 0x0000612f095984cd in execute_ex ()
#23 0x00007a3a44d9c0c0 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#24 0x0000612f0923a009 in ?? ()
#25 0x0000612f0923aee2 in ?? ()
#26 0x00007a3a44d9c0c0 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#27 0x0000612f0923a009 in ?? ()
#28 0x0000612f0923aee2 in ?? ()
#29 0x00007a3a44d9c0c0 in ?? () from /usr/local/lib/php/extensions/no-debug-non-zts-20210902/blackfire.so
#30 0x0000612f095a09ef in zend_execute ()
#31 0x0000612f095331e8 in zend_execute_scripts ()
#32 0x0000612f094cf7a1 in php_execute_script ()
#33 0x0000612f096179a3 in ?? ()
#34 0x0000612f09245016 in ?? ()
#35 0x00007a3a47eac24a in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#36 0x00007a3a47eac305 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#37 0x0000612f09246351 in _start ()

So it seems related to blackfire extension :S

[nielsdos]

The crash happens inside nghttp2, which is used to perform HTTP2 stuff for libcurl.
Probably something else corrupted memory, e.g. it could be the blackfire extension doing that.
Try disabling blackfire and see if it reproduces.

[ro0NL]

I've submitted a blackfire request. I found no easy way to disable extension on-demand.

[nielsdos]

What's stopping your from taking it out of your php.ini temporarily?

[ro0NL]

Right! I forgot it worked like that. The image doesnt have vim -.-

I did a build from source without blackfire enabled, and it still reproduces:

#0  0x0000793b372bb937 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000793b3742675c in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#2  0x0000793b36eeb2ca in nghttp2_session_mem_recv () from /lib/x86_64-linux-gnu/libnghttp2.so.14
#3  0x0000793b37425207 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#4  0x0000793b37425df7 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#5  0x0000793b37442dd9 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#6  0x0000793b37455aa9 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#7  0x0000793b37438fd4 in ?? () from /lib/x86_64-linux-gnu/libcurl.so.4
#8  0x0000793b3743a3b6 in curl_multi_perform () from /lib/x86_64-linux-gnu/libcurl.so.4
#9  0x000064aa4d11ca18 in ?? ()
#10 0x000064aa4d039d98 in ?? ()
#11 0x000064aa4d03aeef in ?? ()
#12 0x000064aa4d3b60e2 in zend_generator_resume ()
#13 0x000064aa4d3b6c89 in ?? ()
#14 0x000064aa4d351f46 in ?? ()
#15 0x000064aa4d364a73 in ?? ()
#16 0x000064aa4d3984cd in execute_ex ()
#17 0x000064aa4d3a09ef in zend_execute ()
#18 0x000064aa4d3331e8 in zend_execute_scripts ()

[ro0NL]

I also forgot to mention; the relevant Dockerfile is at: https://github.com/etrias-nl/php/blob/main/Dockerfile

[ro0NL]

I still reproduce with minimal dockerfile:

FROM php:8.1.28-fpm

RUN ln -sr /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini

bundled curl version is 7.88.1 , but im not sure how to update it

php 8.1.0 seems stable wich bundles 7.74.0

[nielsdos]

I could reproduce the issue using the minimal Dockerfile.
Valgrind gives me the following:

root@c93531b975b1:/var/www/html# valgrind php index.php 
==27136== Memcheck, a memory error detector
==27136== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==27136== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==27136== Command: php index.php
==27136== 
==27136== Invalid write of size 8
==27136==    at 0x484A35B: memmove (vg_replace_strmem.c:1382)
==27136==    by 0x521E75B: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x578A2C9: nghttp2_session_mem_recv (in /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.24.1)
==27136==    by 0x521D206: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x521DDF6: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x523ADD8: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x524DAA8: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x5230FD3: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x52323B5: curl_multi_perform (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
==27136==    by 0x424A17: ??? (in /usr/local/bin/php)
==27136==    by 0x6A659F: execute_ex (in /usr/local/bin/php)
==27136==    by 0x6BE061: zend_generator_resume (in /usr/local/bin/php)
==27136==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

I then manually built and installed the latest curl version, and the problem disappeared.
So it appears that the distro your Docker image uses is using a version of curl that has a bug that's fixed in a more recent curl version but was not backported.
So this is after all not a PHP bug but a curl bug, the only thing I can advise you on is to try to obtain a newer version of curl.