Bug 57868

Summary: SIGSEV when lacking correct DB access permissions
Product: Apache httpd-2 Reporter: Jose Kahan <jose>
Component: mod_authz_dbdAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: ylavic.dev
Priority: P2 Keywords: FixedInTrunk, PatchAvailable
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fixes sigsev in mod_authz_dbd when server lacks access rights to the db table
Fixes sigsev in mod_authz_dbd when server lacks access rights to the db table

Description Jose Kahan 2015-04-28 17:15:30 UTC 
Created attachment 32696 [details]
Fixes sigsev in mod_authz_dbd when server lacks access rights to the db table

If the dbd handle preparation fails due to a misconfiguration of the database server or the access rights to the table, the server logs something along these lines:

   AH00632: failed to prepare SQL statements: UPDATE command denied to 
   user 'foo'@'exampleorg' for table 'bar'

As a consequence, the call to dbd_handle(r) returns NULL. However, in mod_authz_dbd, there was no control for the value of dbd before its being used in both authz_dbd_login() and authzdbd_group():

       ap_dbd_t *dbd = dbd_handle(r);
       ...
        query = apr_hash_get(dbd->prepared, <--- SIGSEV

I'm attaching a patch that solves this issue. I didn't check to see if it also occurs in other nz modules based on mod_dbd.c
Comment 1 Yann Ylavic 2015-06-11 15:21:12 UTC 
Thanks for the report, but attachment 32696 [details] does not look correct (simple text, not a patch).
Comment 2 Jose Kahan 2015-06-11 15:50:12 UTC 
Created attachment 32811 [details]
Fixes sigsev in mod_authz_dbd when server lacks access rights to the db table

Resubmitting as my previous patch upload failed. Sorry about that!

Tested with apache_2.4.10, but patch submitted against trunk as this module has not changed between these versions.
Comment 3 Yann Ylavic 2015-07-01 14:38:01 UTC 
Thanks, committed in r1688660.
Comment 4 Christophe JAILLET 2015-08-07 15:23:44 UTC 
(In reply to Jose Kahan from comment #0)

> I didn't check to see if it also occurs in other nz modules based on mod_dbd.c

Apparently, ap_dbd_acquire is only used in mod_authz_dbd, mod_authn_dbd, mod_session_dbd and mod_rewrite.

You fixed the first one.
mod_authn_dbd and mod_session_dbd already have a test to check for NULL.
mod_rewrite seems to have the same problem in 'lookup_map_dbd'.

I'll check deeper and propose a patch if confirmed.
Comment 5 Christophe JAILLET 2015-08-10 21:32:14 UTC 
RewriteMap with MapType bbd or fastdbd has the same issue.
Proposed patch committed in r1695170
Comment 6 Christophe JAILLET 2015-08-11 21:04:07 UTC 
Proposed for backport in r1695378
Comment 7 Christophe JAILLET 2015-10-25 05:48:17 UTC 
This is in 2.4.17