Bug 53643

Summary: apache segfaults with mod_authn_dbd when dbd_min is zero
Product: Apache httpd-2 Reporter: erno.kovacs
Component: mod_authn_dbdAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: critical Keywords: MassUpdate
Priority: P2    
Version: 2.2.22   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description erno.kovacs 2012-08-02 14:35:51 UTC
apache segfaults with mod_authn_dbd when dbd_min is zero:

# tail -f error.log
[Thu Aug 02 16:27:37 2012] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/0.9.8o
[Thu Aug 02 16:27:37 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o configured -- resuming normal operations
[Thu Aug 02 16:27:37 2012] [info] Server built: Aug  2 2012 15:37:02
[Thu Aug 02 16:27:37 2012] [debug] worker.c(1757): AcceptMutex: sysvsem (default: sysvsem)
[Thu Aug 02 16:27:39 2012] [notice] child pid 13127 exit signal Segmentation fault (11)

Config line for compiling against the Squeeze packages is:

./configure --prefix=/usr/local/apachetest --disable-echo --enable-cache --disable-include \
            --enable-ssl --enable-http --enable-cgi   --disable-imap --disable-userdir \
            --enable-dbd --enable-authn-dbd --with-apr=/usr --with-apr-util=/usr \
            --enable-so --enable-rewrite --disable-vhost-alias  --with-mpm=worker

# dpkg -l|grep apr
ii  libapr1                             1.4.2-6+squeeze4             The Apache Portable Runtime Library
ii  libapr1-dev                         1.4.2-6+squeeze4             The Apache Portable Runtime Library - Development Headers
ii  libaprutil1                         1.3.9+dfsg-5                 The Apache Portable Runtime Utility Library
ii  libaprutil1-dbd-mysql               1.3.9+dfsg-5                 The Apache Portable Runtime Utility Library - MySQL Driver
ii  libaprutil1-dev                     1.3.9+dfsg-5                 The Apache Portable Runtime Utility Library - Development Headers


httpd.conf:
############################################################### alapveto adatok begin
ServerRoot "/usr/local/apachetest"
Listen 50080
User nobody
Group nogroup
ServerAdmin tech@xxxxxxx.hu
ServerName xxxxxxx.hu:80
DocumentRoot "/usr/local/apachetest/htdocs"
DirectoryIndex index.html index.htm index.php
ExtendedStatus on
ServerTokens Prod
ServerSignature Off
DefaultType text/plain
Timeout 30
Keepalive on
MaxKeepAliveRequests 100
KeepAliveTimeout 5
UseCanonicalName Off
AccessFilename .htaccess
HostnameLookups off
CoreDumpDirectory /tmp
############################################################### alapveto adatok end

############################################################### MPM begin
ThreadLimit 10
ThreadsPerChild 1
ServerLimit 10
MaxClients 10
StartServers 1
MinSpareThreads 1
MaxSpareThreads 1
ThreadStackSize 131072
MaxRequestsPerChild  10000
############################################################### MPM end

#################################################################### mod_dbd begin
DBDriver mysql
DBDParams "host=mysql.xxxxxxx.hu dbname=xxxxxxx user=xxxxxxx password=xxxxxxx"

DBDMin  0
DBDKeep 5
DBDMax  10
DBDExptime 60
#################################################################### mod_dbd end

############################################################### access control begin
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all

</Directory>

<Directory /usr/local/apachetest/htdocs>
  Order allow,deny
  Allow from all

  AuthType Basic
  AuthName "My Server"
  AuthBasicProvider dbd

  # core authorization configuration
  Require valid-user

  AuthDBDUserPWQuery "SELECT pd_password FROM w3_protecteddirs WHERE pd_username = %s"
</Directory>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
############################################################### access control end

################################################################### logging begin
PidFile "logs/httpd.pid"
ErrorLog "logs/error.log"
LogLevel debug
LogFormat "%h %V %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
TransferLog "logs/access.log"
#################################################################### logging end



If I increase DBD_Min to 1, Apache does not crash.
Comment 1 erno.kovacs 2012-08-02 17:38:39 UTC
However DBD_Min 0 is definetly a problem, and with a higher value authentication works fine, I can still reproduce the segfaults by pushing F5 (refresh) in the browser for a few minutes.
I believe this is a stack issue, as I increase ThreadStackSize it works OK, no segfaults. I would recommend mentioning this in documentation. 256KByte seems to be enough.
Comment 2 erno.kovacs 2012-08-04 21:50:08 UTC
Nevertheles, Apache even segfaults, when DBD is not configured at all in rsrc_conf and an attacker has the ability to upload .htaccess files with content of AuthBasicProvider dbd and AllowOverride AuthConfig is on.
Comment 3 William A. Rowe Jr. 2018-11-07 21:09:08 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.