#1369 curl crashes with segmentation fault in httpd in use with PHP

closed-fixed
DarwinSSL (3)
5
2015-02-22
2014-05-08
No

curl 7.36.0 (x86_64-apple-darwin13.1.0) libcurl/7.36.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

Process 26863 stopped
* thread #1: tid = 0x226200, 0x00007fff91faf452 CoreFoundation`CFArrayGetValueAtIndex + 114, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00007fff91faf452 CoreFoundation`CFArrayGetValueAtIndex + 114
CoreFoundation`CFArrayGetValueAtIndex + 114:
-> 0x7fff91faf452:  movq   (%rax), %rcx
   0x7fff91faf455:  leaq   0x10(%rax,%rcx,8), %rbx
   0x7fff91faf45a:  jmp    0x7fff91faf49c            ; CFArrayGetValueAtIndex + 188
   0x7fff91faf45c:  movq   -0x15f07b03(%rip), %rax   ; { /usr/lib/libobjc.A.dylib`objc_msgSend_fixedup, "objectAtIndex:" }
(lldb) bt
* thread #1: tid = 0x226200, 0x00007fff91faf452 CoreFoundation`CFArrayGetValueAtIndex + 114, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00007fff91faf452 CoreFoundation`CFArrayGetValueAtIndex + 114
    frame #1: 0x00000001006eebb8 libcurl.4.dylib`darwinssl_connect_common + 1571
    frame #2: 0x00000001006ede55 libcurl.4.dylib`Curl_ssl_connect_nonblocking + 36
    frame #3: 0x00000001006ba725 libcurl.4.dylib`Curl_http_connect + 77
    frame #4: 0x00000001006c8263 libcurl.4.dylib`Curl_protocol_connect + 129
    frame #5: 0x00000001006d89d0 libcurl.4.dylib`multi_runsingle + 732
    frame #6: 0x00000001006d8661 libcurl.4.dylib`curl_multi_perform + 168
    frame #7: 0x00000001006d2f5d libcurl.4.dylib`curl_easy_perform + 338
    frame #8: 0x0000000102902ea0 libphp5.so`zif_curl_exec + 128
    frame #9: 0x0000000102c34417 libphp5.so`zend_do_fcall_common_helper_SPEC + 1799
    frame #10: 0x0000000102be9bb1 libphp5.so`execute + 678
    frame #11: 0x0000000102bba1d8 libphp5.so`zend_call_function + 1922
    frame #12: 0x0000000102aad882 libphp5.so`zif_call_user_func_array + 102
    frame #13: 0x0000000102c34417 libphp5.so`zend_do_fcall_common_helper_SPEC + 1799
    frame #14: 0x0000000102be9bb1 libphp5.so`execute + 678
    frame #15: 0x0000000102bc6a61 libphp5.so`zend_execute_scripts + 515
    frame #16: 0x0000000102b6e121 libphp5.so`php_execute_script + 796
    frame #17: 0x0000000102c561d0 libphp5.so`php_handler + 1145
    frame #18: 0x000000010000351d httpd`ap_run_handler + 65
    frame #19: 0x000000010000396a httpd`ap_invoke_handler + 244
    frame #20: 0x0000000100030919 httpd`ap_process_async_request + 895
    frame #21: 0x00000001000309c0 httpd`ap_process_request + 25
    frame #22: 0x000000010002d972 httpd`ap_process_http_connection + 161
    frame #23: 0x0000000100011e49 httpd`ap_run_process_connection + 65
    frame #24: 0x0000000100037581 httpd`child_main + 923
    frame #25: 0x00000001000370bb httpd`make_child + 378
    frame #26: 0x0000000100036479 httpd`prefork_run + 1040
    frame #27: 0x0000000100013bb9 httpd`ap_run_mpm + 82
    frame #28: 0x000000010000a178 httpd`main + 2304

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-05-08

    Thanks. Can you repeat this? Can you figure out what's wrong in that call to CFArrayGetValueAtIndex() ? Can you help us tell which call to CFArrayGetValueAtIndex this concerns? The stack trace in your report is a bit hard to follow, probably because your library is optimized.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-08
    • assigned_to: Daniel Stenberg
     
  • Marco Lehmann

    Marco Lehmann - 2014-05-08

    If you describe me how to do this I will help you as best as I can. I thought it might be a PHP error. Therefor I run httpd with lldb and got the backtrace above. Do you need curl options used for the call? Or any other information?

     
  • Marco Lehmann

    Marco Lehmann - 2014-05-09

    In the meantime I figured out, that Secure Transport was the problem. Building curl with option --with-openssl (Homebrew) worked for me. No more crashes.

    Curl was configured with this line:

    $ curl-config --configure
    --disable-debug --disable-dependency-tracking --prefix=/usr/local/Cellar/curl/7.36.0 --with-ssl=/usr/local/opt/openssl --without-libssh2 --without-libidn --without-libmetalink --without-gssapi --without-librtmp --disable-ares CC=clang
    

    As OpenSSL version 1.0.1g (also from Homebrew) is used.

     
    Last edit: Marco Lehmann 2014-05-09
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-10

    Right, there's no surprise that a different SSL backend works around the problem since the crash was obviously within the darinssl specific code.

    In order to track this down, we would really like to know what curl options you set and I got a set of more questions from a fellow libcurl hacker:

    1. Is the user authenticating with the server using a PKCS#12 (.p12) file?

    2. If so, can that user send me a sample P12 file so I can see what's going on? This feature did work for me when I last tested it using a home-made security identity in a P12 file.

    3. If not, is the user authenticating using any other type of file, e.g. PEM or DER? The darwinssl code doesn't support that because Apple won't open up the function to build an identity from a PEM or DER and private key file.

     
  • Marco Lehmann

    Marco Lehmann - 2014-05-10

    Hi Daniel,

    a PEM file is used. So Secure Transport isn't intended to work with that type of key file? Beside this I think, that curl should not crash anyway ;)

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-11

    Marco, nobody has said it should crash - but we first need to figure out why it crashes and therefore we need as much info as possible.

     
  • Marco Lehmann

    Marco Lehmann - 2014-05-11

    Of course. It wasn't meant offending. Ask me everything which helps you to figure out why it crashes Daniel.

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-11

    You can start with responding to the questions already asked here. About p12, authentication and curl options.

     
  • Marco Lehmann

    Marco Lehmann - 2014-05-12

    Hi Daniel,

    as I wrote: a PEM files are used.

    Here are the curl options:

    CURLOPT_HTTPHEADER = Content-Type: application/json
    CURLOPT_HEADER = 0 (false)
    CURLOPT_VERBOSE = 1 (true)
    CURLOPT_RETURNTRANSFER = 1 (true)
    CURLOPT_SSL_VERIFYPEER = 1 (true)
    CURLOPT_SSL_VERIFYHOST = 2 (hosts should match)
    CURLOPT_FAILONERROR = 1 (true)
    CURLOPT_TIMEOUT = 1500
    CURLOPT_SSLCERT = xxx.pem
    CURLOPT_SSLKEY = xxx
    CURLOPT_SSLCERTPASSWD = xxx
    CURLOPT_SSLKEYTYPE = "PEM"
    CURLOPT_CAINFO = xxx.pem

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-14

    See Toby Peterson's suggestion at: http://curl.haxx.se/mail/lib-2014-05/0139.html

    Can you add a check and see if 'items' is indeed NULL after SecPKCS12Import() returns success on line 955 in lib/vtls/curl_darwinssl.c ?

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-15
    • status: open --> pending
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-15

    A fix has been pushed to git, it would be great with a confirmation that it actually makes your crashing use-case work!

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-05-24
    • status: pending --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks