Summary: | Segmentation fault in char_buffer_read when reverse proxying SSL | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | M. "Alex" Hankins <lxhankins002> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | CLOSED FIXED | ||
Severity: | major | ||
Priority: | P3 | ||
Version: | 2.0.50 | ||
Target Milestone: | --- | ||
Hardware: | Sun | ||
OS: | Solaris | ||
URL: | http://www.2dv.cl/cepechphp/admin/index_login.html | ||
Attachments: | proposed fix |
Description
M. "Alex" Hankins
2004-07-15 23:57:41 UTC
Does this still happen if you take mod_rewrite out of the setup and use ProxyPass instead? Yes, I still get what seems to be the same segfault (according to gdb) if I replace these config lines: RewriteEngine on RewriteRule /(.*) https://some.eroom6.iis.server.com/$1 [P] with this one: ProxyPass / https://some.eroom6.iis.server.com/ This backtrace is a little strange: #1 0xfeafef54 in char_buffer_read (buffer=0x1649ac, in=0x2000 <Address 0x2000 out of bounds>, inl=8192) at ssl_engine_io.c:348 which means either stack corruption by memcpy or in got passed in as a pointer to address 8192 somehow. Can you, from gdb against a core dump, check: up 2 (into ssl_io_input_read) print *inctx info locals print buf print len Hi Joe, I do suffer from the same bug. Attached is the info you requested. If you need additional testing, please say so. I cleared some info from the contents of buffer to not disclose critical information. I hope that's ok and doesn't hinder your debugging process. Regards, Stephan Program received signal SIGSEGV, Segmentation fault. 0xfedf060c in memcpy () from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1 (gdb) where full #0 0xfedf060c in memcpy () from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1 No symbol table info available. #1 0x00048060 in char_buffer_read (buffer=0x196d54, in=0x196d60 "Cet-Cookie: s"..., at ssl_engine_io.c:348 No locals. #2 0x00048448 in ssl_io_input_read (inctx=0x196d38, buf=0x196d60 "Cet-Cookie: s"..., len=0xffbeafa4) at ssl_engine_io.c:561 wanted = 8192 bytes = 1533728 rc = 8192 #3 0x00048714 in ssl_io_input_getline (inctx=0x196d38, buf=0x196d60 "Cet-Cookie: s"..., len=0xffbeafa4) at ssl_engine_io.c:712 pos = 0x173ea0 "" status = 1666360 tmplen = 1 offset = 1533728 (gdb) up 2 #2 0x00048448 in ssl_io_input_read (inctx=0x196d38, buf=0x196d60 "Cet-Cookie: s"..., len=0xffbeafa4) at ssl_engine_io.c:561 561 (gdb) print *inctx $1 = {ssl = 0x173db8, bio_out = 0x172210, f = 0x198d68, rc = 0, mode = AP_MODE_GETLINE, block = APR_BLOCK_READ, bb = 0x198d80, cbuf = { length = 1, value = 0xffffffff <Address 0xffffffff out of bounds>}, pool = 0x16fea8, buffer = "Cet-Cookie: s"..., filter_ctx = 0x17e058} (gdb) info locals wanted = 8192 bytes = 1533728 rc = 8192 (gdb) print buf $2 = 0x196d60 "Cet-Cookie: s"..., (gdb) print len $3 = (apr_size_t *) 0xffbeafa4 Ah ha, that's crucial info, thanks. It looks like the cause is: ssl_io_input_read is called with inctx->mode == SPECULATIVE (this only normally happens in the proxy IIRC); ssl_io_input_read calls char_buffer_read, which executes the case where it does: buffer->value = NULL; buffer->length = 0; and ssl_io_input_read then screws up the inctx->cbuf for good. /* We want to rollback this read. */ inctx->cbuf.value -= bytes; inctx->cbuf.length += bytes; cbuf = { length = 1, value = 0xffffffff <Address 0xffffffff out of bounds>}, per your backtrace. Created attachment 12459 [details]
proposed fix
The patch attached above should fix the segfaults, I'm not yet sure if this is the cleanest or most correct fix. The fix checked in should be equivalent: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126 This issue has possible security implications; it's been assigned CVE CAN-2004-0751 (cve.mitre.org). Thanks for the report and for the debugging. |