https://bz.apache.org/bugzilla/show_bug.cgi?id=68527
Bug ID: 68527
Summary: NULL dereference in mod_dir:fixup_dir
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_dir
Assignee: bugs@httpd.apache.org
Reporter: benjamin.p.kallus.gr@dartmouth.edu
Target Milestone: ---
- Platform: Linux 6.7.0 x86_64
- Build: gcc 12.2.0, apache httpd trunk default build configuration
- httpd_config:
> ServerRoot "/usr/local/apache2"
> Listen 80
> LoadModule authz_core_module modules/mod_authz_core.so
> LoadModule unixd_module modules/mod_unixd.so
> LoadModule http2_module modules/mod_http2.so
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
> LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule dir_module modules/mod_dir.so
> User daemon
> Group daemon
> ServerName apache
> <VirtualHost *:80>
> DocumentRoot /var/www
> <Directory /var/www>
> DirectoryIndex index.php
> SetHandler "proxy:fcgi://127.0.0.1:9000/"
> RewriteEngine On
> RewriteBase /
> RewriteRule ^(.*)$ /index.php [L,QSA]
> </Directory>
> </VirtualHost>
- php-fpm version: 8.2.7 (from Debian Bookworm repos)
- php-fpm config: The default from the Debian Bookworm repos, except with the
listen directive modified to use a TCP socket instead of a UDS
- /var/www/index.php:
> <?php
> echo "hello world";
> ?>
To reproduce the crash,
1. build apache with the configuration described above
2. run the server in gdb:
> gdb /usr/local/apache2/bin/httpd
> (gdb) r -X
3. In another terminal, send a simple request using nc:
> printf 'GET / HTTP/1.1\r\nHost: whatever\r\n\r\n | nc localhost 80'
4. Watch the server segfault and crash:
> Thread 28 "httpd" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffe76006c0 (LWP 64658)]
> __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:283
5. Take a backtrace and see what's wrong:
> (gdb) bt
> #0 __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:283
> #1 0x00007ffff7c22804 in fixup_dir (r=0x7fffd8004c30) at mod_dir.c:306
> #2 dir_fixups (r=0x7fffd8004c30) at mod_dir.c:422
> #3 0x00005555555d1ee0 in ap_run_fixups (r=r@entry=0x7fffd8004c30) at request.c:87
> #4 0x00005555555d46ba in ap_process_request_internal (r=r@entry=0x7fffd8004c30) at request.c:435
> #5 0x0000555555598b25 in ap_process_async_request (r=r@entry=0x7fffd8004c30) at http_request.c:448
> #6 0x000055555559453c in ap_process_http_async_connection (c=0x7fff10000fa0) at http_core.c:159
> #7 ap_process_http_connection (c=0x7fff10000fa0) at http_core.c:250
> #8 0x00005555555b7a00 in ap_run_process_connection (c=c@entry=0x7fff10000fa0) at connection.c:43
> #9 0x00005555555a6b86 in process_socket (thd=thd@entry=0x7fffe0000d10, p=<optimized out>,
> sock=<optimized out>, cs=<optimized out>, my_child_num=my_child_num@entry=0,
> my_thread_num=my_thread_num@entry=0) at event.c:1129
> #10 0x00005555555a73b2 in worker_thread (thd=0x7fffe0000d10, dummy=<optimized out>) at event.c:2488
> #11 0x00007ffff7f07f7f in dummy_worker (opaque=0x7fffe0000d10) at threadproc/unix/thread.c:165
> #12 0x00007ffff7d5d044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
> #13 0x00007ffff7ddc880 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
6. Check the first argument register and notice that it's NULL:
> (gdb) print $rdi
> $1 = 0
The offending revision is this one, which passes r->content_type to strcmp
without making sure it's not NULL:
> https://svn.apache.org/viewvc?view=revision&revision=1695583
I tried adding in a check for NULL on line 306, and the server still segfaults
on line 315, which is another unchecked strcmp added in the same revision.
Adding in another check for NULL on line 315 prevents the segfault, but the
server still 500s, which is probably an indication that something about my
config is wrong. I wrote this config from scratch, so it's very likely that
it's doing something unorthodox :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 68527
Summary: NULL dereference in mod_dir:fixup_dir
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_dir
Assignee: bugs@httpd.apache.org
Reporter: benjamin.p.kallus.gr@dartmouth.edu
Target Milestone: ---
- Platform: Linux 6.7.0 x86_64
- Build: gcc 12.2.0, apache httpd trunk default build configuration
- httpd_config:
> ServerRoot "/usr/local/apache2"
> Listen 80
> LoadModule authz_core_module modules/mod_authz_core.so
> LoadModule unixd_module modules/mod_unixd.so
> LoadModule http2_module modules/mod_http2.so
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
> LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule dir_module modules/mod_dir.so
> User daemon
> Group daemon
> ServerName apache
> <VirtualHost *:80>
> DocumentRoot /var/www
> <Directory /var/www>
> DirectoryIndex index.php
> SetHandler "proxy:fcgi://127.0.0.1:9000/"
> RewriteEngine On
> RewriteBase /
> RewriteRule ^(.*)$ /index.php [L,QSA]
> </Directory>
> </VirtualHost>
- php-fpm version: 8.2.7 (from Debian Bookworm repos)
- php-fpm config: The default from the Debian Bookworm repos, except with the
listen directive modified to use a TCP socket instead of a UDS
- /var/www/index.php:
> <?php
> echo "hello world";
> ?>
To reproduce the crash,
1. build apache with the configuration described above
2. run the server in gdb:
> gdb /usr/local/apache2/bin/httpd
> (gdb) r -X
3. In another terminal, send a simple request using nc:
> printf 'GET / HTTP/1.1\r\nHost: whatever\r\n\r\n | nc localhost 80'
4. Watch the server segfault and crash:
> Thread 28 "httpd" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffe76006c0 (LWP 64658)]
> __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:283
5. Take a backtrace and see what's wrong:
> (gdb) bt
> #0 __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:283
> #1 0x00007ffff7c22804 in fixup_dir (r=0x7fffd8004c30) at mod_dir.c:306
> #2 dir_fixups (r=0x7fffd8004c30) at mod_dir.c:422
> #3 0x00005555555d1ee0 in ap_run_fixups (r=r@entry=0x7fffd8004c30) at request.c:87
> #4 0x00005555555d46ba in ap_process_request_internal (r=r@entry=0x7fffd8004c30) at request.c:435
> #5 0x0000555555598b25 in ap_process_async_request (r=r@entry=0x7fffd8004c30) at http_request.c:448
> #6 0x000055555559453c in ap_process_http_async_connection (c=0x7fff10000fa0) at http_core.c:159
> #7 ap_process_http_connection (c=0x7fff10000fa0) at http_core.c:250
> #8 0x00005555555b7a00 in ap_run_process_connection (c=c@entry=0x7fff10000fa0) at connection.c:43
> #9 0x00005555555a6b86 in process_socket (thd=thd@entry=0x7fffe0000d10, p=<optimized out>,
> sock=<optimized out>, cs=<optimized out>, my_child_num=my_child_num@entry=0,
> my_thread_num=my_thread_num@entry=0) at event.c:1129
> #10 0x00005555555a73b2 in worker_thread (thd=0x7fffe0000d10, dummy=<optimized out>) at event.c:2488
> #11 0x00007ffff7f07f7f in dummy_worker (opaque=0x7fffe0000d10) at threadproc/unix/thread.c:165
> #12 0x00007ffff7d5d044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
> #13 0x00007ffff7ddc880 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
6. Check the first argument register and notice that it's NULL:
> (gdb) print $rdi
> $1 = 0
The offending revision is this one, which passes r->content_type to strcmp
without making sure it's not NULL:
> https://svn.apache.org/viewvc?view=revision&revision=1695583
I tried adding in a check for NULL on line 306, and the server still segfaults
on line 315, which is another unchecked strcmp added in the same revision.
Adding in another check for NULL on line 315 prevents the segfault, but the
server still 500s, which is probably an indication that something about my
config is wrong. I wrote this config from scratch, so it's very likely that
it's doing something unorthodox :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org