When the following configuration is set in httpd.conf file: <Directory "/var/www/webapps/*/cgi-bin"> AllowOverride None Order allow,deny Allow from all AuthType Digest AuthDigestDomain /var/www/webapps/*/cgi-bin/ AuthName My_Realm AuthUserFile /etc/apache/.htdigest AuthGroupFile /etc/apache/.htgroups Require group users </Directory> <Directory "/var/www/webapps/admin/cgi-bin"> AuthDigestDomain /admin/cgi-bin/ Require group admins </Directory> "Segmentation fault (11)" is logged in Apache error log because realm (AuthName) for /var/www/webapps/admin/cgi-bin directory is not initialized. When AuthDigestDomain directive is not set for this directory then Apache work correctly. Here is gdb output: # gdb httpd -d /source/ GNU gdb 5.2.1 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-hardhat-linux"... (gdb) b create_digest_dir_config Breakpoint 1 at 0x10051998: file mod_auth_digest.c, line 405. (gdb) b set_uri_list Breakpoint 2 at 0x100521d0: file mod_auth_digest.c, line 581. (gdb) b set_realm Breakpoint 3 at 0x10051a88: file mod_auth_digest.c, line 423. (gdb) b authenticate_digest_user Breakpoint 4 at 0x10054be0: file mod_auth_digest.c, line 1594. (gdb) run -X -f /etc/apache/httpd.conf Starting program: /usr/sbin/httpd -X -f /etc/apache/httpd.conf Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x0) at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101ab0e8 "/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101ab498, uri=0x101ab550 "/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:581 581 digest_config_rec *c = (digest_config_rec *) config; (gdb) c Continuing. Breakpoint 3, set_realm (cmd=0x7ffffcf0, config=0x101ab498, realm=0x101ab5a8 "My_Realm") at mod_auth_digest.c:423 423 digest_config_rec *conf = (digest_config_rec *) config; (gdb) c Continuing. Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101ab9d0 "/var/www/webapps/admin/cgi-bin/") at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101abba8, uri=0x101abc60 "/admin/cgi-bin/") at mod_auth_digest.c:581 581 digest_config_rec *c = (digest_config_rec *) config; (gdb) c Continuing. Detaching after fork from child process 3115. cDetaching after fork from child process 3117. Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x0) at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x1018f510 "/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x1018f8a8, uri=0x1018f960 "/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:581 581 digest_config_rec *c = (digest_config_rec *) config; (gdb) c Continuing. Breakpoint 3, set_realm (cmd=0x7ffffcf0, config=0x1018f8a8, realm=0x1018f9b8 "My_Realm") at mod_auth_digest.c:423 423 digest_config_rec *conf = (digest_config_rec *) config; (gdb) c Continuing. Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101af8f0 "/var/www/webapps/admin/cgi-bin/") at mod_auth_digest.c:405 405 if (dir == NULL) { (gdb) c Continuing. Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101afac8, uri=0x101afb80 "/admin/cgi-bin/") at mod_auth_digest.c:581 581 digest_config_rec *c = (digest_config_rec *) config; (gdb) c Continuing. Detaching after fork from child process 3119. Detaching after fork from child process 3121. Breakpoint 4, authenticate_digest_user (r=0x10214d30) at mod_auth_digest.c:1594 1594 if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) { (gdb) n 1598 if (!ap_auth_name(r)) { (gdb) n 1607 mainreq = r; (gdb) n 1608 while (mainreq->main != NULL) { (gdb) n 1611 while (mainreq->prev != NULL) { (gdb) n 1614 resp = (digest_header_rec *) ap_get_module_config(mainreq->request_config, (gdb) n 1616 resp->needed_auth = 1; (gdb) n 1621 conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, (gdb) n 1627 if (resp->auth_hdr_sts != VALID) { (gdb) n 1644 r->user = (char *) resp->username; (gdb) n 1645 r->ap_auth_type = (char *) "Digest"; (gdb) n 1649 if (strcmp(resp->uri, resp->raw_request_uri)) { (gdb) n 1737 if (resp->opaque && resp->opaque_num == 0) { (gdb) n 1745 if (strcmp(resp->realm, conf->realm)) { (gdb) p conf->realm $1 = 0x0 (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x0fb0aba4 in strcmp () from /lib/libc.so.6 (gdb) where #0 0x0fb0aba4 in strcmp () from /lib/libc.so.6 #1 0x10055204 in authenticate_digest_user (r=0x10214d30) at mod_auth_digest.c:1745 #2 0x100363f0 in ap_run_check_user_id (r=0x10214d30) at request.c:71 #3 0x1003751c in ap_process_request_internal (r=0x10214d30) at request.c:194 #4 0x10087eb0 in ap_process_request (r=0x10214d30) at http_request.c:256 #5 0x10084248 in ap_process_http_connection (c=0x1020eeb0) at http_core.c:184 #6 0x10048dc4 in ap_run_process_connection (c=0x1020eeb0) at connection.c:43 #7 0x100493d0 in ap_process_connection (c=0x1020eeb0, csd=0x1020ed18) at connection.c:178 #8 0x100c4040 in child_main (child_num_arg=0) at prefork.c:640 #9 0x100c415c in make_child (s=0x1011b028, slot=0) at prefork.c:680 #10 0x100c48b0 in ap_mpm_run (_pconf=0x10114968, plog=0x10158a78, s=0x1011b028) at prefork.c:956 #11 0x1001e608 in main (argc=4, argv=0x7ffffe24) at main.c:717 #12 0x0faad6cc in __libc_start_main () from /lib/libc.so.6 (gdb) q #
Ran into the same stack trace in a deployment I am currently working on. This setup involves mod_auth_digest, mod_authn_dbd and mod_vhost_alias. The abbreviated relevant portions of my config are: VirtualDocumentRoot /vhosts/%0 <Directory /vhosts> AllowOverride AuthConfig </Directory> <LocationMatch "^(/private/).*"> AuthType Digest AuthDigestProvider dbd # core authorization configuration Require valid-user AuthDBDUserRealmQuery \ "SELECT password FROM apache_users WHERE username = %s AND realm = %s" </LocationMatch> In the Document Root for each virtual host is an .htaccess file that defines the AuthName for that virtual host AuthName "some_realm" I have a patch that fixes two issues this segfault exposes. 1) (Obviously) Apache shouldn't segfault when either the expected or provided auth realm is null. The if() statement that calls strcmp on those two values should also ensure neither is null. Additionally, this check should probably be done on all calls to strcmp in the module. 2) For some reason the realm mod_auth_digest and mod_authn_core are reporting different realms for the same request. This is due to different merge rules on dir_config struct members ap_auth_name/realm in the mod_authn_core and mod_auth_digest modules. The patch I've included performs NULL checks before calling strcmp and it adds a dir_config merge function that matches the merge rules in mod_authn_core.
Created attachment 28531 [details] Patch to fix segfaults and incorrect realm values in mod_auth_digest
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.