Bug 49406 - malformed FastCGI response may overwrite heap
Summary: malformed FastCGI response may overwrite heap
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_fcgid (show other bugs)
Version: 2.2.15
Hardware: All All
: P2 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2010-06-08 13:59 UTC by Edgar Frank
Modified: 2014-02-17 13:52 UTC (History)
0 users

Patch for the bug described (433 bytes, patch)
2010-06-08 13:59 UTC, Edgar Frank
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Edgar Frank 2010-06-08 13:59:07 UTC
Created attachment 25551 [details]
Patch for the bug described

mod_fcgid may overwrite heap data in some rare cases.

In fcgid_bucket.c (Revision 816972 - current trunk):

The pointer arithmetic in line 99 should be bytewise but isn't. In the rare case that "hasread" is != 0, the heap gets trashed, causing at least segfaults.

Found this by fuzzing.
Comment 1 Thijs Putman 2010-06-10 04:11:22 UTC
Could it be that I'm experiencing this issue in the wild?

Ever since upgrading to Apache I'm experiencing an infrequent crash (one or two times a month) of the httpd process. Always exception code 0xc0000005 (access violation) in module mod_fcgid.so with fault offset 0x00004ac2.

Running Apache/2.2.15 (Win32) mod_ssl/2.2.15 OpenSSL/0.9.8o mod_fcgid/2.3.5 on Windows Server 2008 (x64).
Comment 2 William A. Rowe Jr. 2010-06-10 10:59:32 UTC
Thijs, can you look at http://httpd.apache.org/dev/debugging.html - I recall that
Dr Watson is dropped so it might be necessary to install windbg to gather the
crash dump of your fault.  It's possible but also equally like to be another
bug hiding in the code.
Comment 3 Jeff Trawick 2010-11-21 16:11:35 UTC
This issue was actually a stack overwrite instead of a heap overwrite, and was assigned CVE-2010-3872.

It was fixed in mod_fcgid 2.3.6