Created attachment 25551 [details] Patch for the bug described mod_fcgid may overwrite heap data in some rare cases. In fcgid_bucket.c (Revision 816972 - current trunk): http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c?revision=816972&view=markup The pointer arithmetic in line 99 should be bytewise but isn't. In the rare case that "hasread" is != 0, the heap gets trashed, causing at least segfaults. Found this by fuzzing.
Could it be that I'm experiencing this issue in the wild? Ever since upgrading to Apache 2.2.1.5 I'm experiencing an infrequent crash (one or two times a month) of the httpd process. Always exception code 0xc0000005 (access violation) in module mod_fcgid.so with fault offset 0x00004ac2. Running Apache/2.2.15 (Win32) mod_ssl/2.2.15 OpenSSL/0.9.8o mod_fcgid/2.3.5 on Windows Server 2008 (x64).
Thijs, can you look at http://httpd.apache.org/dev/debugging.html - I recall that Dr Watson is dropped so it might be necessary to install windbg to gather the crash dump of your fault. It's possible but also equally like to be another bug hiding in the code.
This issue was actually a stack overwrite instead of a heap overwrite, and was assigned CVE-2010-3872. It was fixed in mod_fcgid 2.3.6