Bug 52865 - Crash by segmentation fault in mod_authn_core in Apache-2.4.1
Summary: Crash by segmentation fault in mod_authn_core in Apache-2.4.1
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authn_core (show other bugs)
Version: 2.4.1
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-09 10:08 UTC by Tianyin Xu
Modified: 2019-03-07 14:21 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tianyin Xu 2012-03-09 10:08:37 UTC
To replay it, set the following configuration entries in the httpd.conf:

LoadModule authn_core_module modules/mod_authn_core.so
<AuthnProviderAlias file file1>
AuthName "dfdf"
</AuthnProviderAlias>

Start server and you will see the segmentation fault.

I don't quite understand the problem. 

I put some printf() in the invoke_cmd() function. It seems that the segfault occurs when it's executing the AuthName directive. The code reaches “return cmd->AP_TAKE1(parms, mconfig, w);” but does not reach the handler function of the AuthName directive -- set_authname().
 
Please check it. 

Thanks a lot!!!
Comment 1 Tianyin Xu 2012-03-09 10:41:42 UTC
Oh, sorry, I missed sth in the previous email.

To replay it, using the following configurations (have to load both modules):

LoadModule authn_core_module modules/mod_authn_core.so
LoadModule auth_digest_module modules/mod_auth_digest.so
<AuthnProviderAlias file file1>
AuthName "dfdf"
</AuthnProviderAlias>

It seems the two module has some conflicts?



(In reply to comment #0)
> To replay it, set the following configuration entries in the httpd.conf:
> 
> LoadModule authn_core_module modules/mod_authn_core.so
> <AuthnProviderAlias file file1>
> AuthName "dfdf"
> </AuthnProviderAlias>
> 
> Start server and you will see the segmentation fault.
> 
> I don't quite understand the problem. 
> 
> I put some printf() in the invoke_cmd() function. It seems that the segfault
> occurs when it's executing the AuthName directive. The code reaches “return
> cmd->AP_TAKE1(parms, mconfig, w);” but does not reach the handler function of
> the AuthName directive -- set_authname().
> 
> Please check it. 
> 
> Thanks a lot!!!
Comment 2 Stefan Fritsch 2012-03-12 01:06:14 UTC
It seems AuthnProviderAlias breaks some assumption in create_digest_dir_config(). The crash does not happen if I remove these lines:

--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -454,10 +454,6 @@ static void *create_digest_dir_config(apr_pool_t *p, char *dir)
 {
     digest_config_rec *conf;
 
-    if (dir == NULL) {
-        return NULL;
-    }
-
     conf = (digest_config_rec *) apr_pcalloc(p, sizeof(digest_config_rec));
     if (conf) {
         conf->qop_list       = apr_palloc(p, sizeof(char*));


I haven't tested if this makes AuthnProviderAlias actually work, though. Can you try it?
Comment 3 Tianyin Xu 2012-03-12 09:04:58 UTC
(In reply to comment #2)
> It seems AuthnProviderAlias breaks some assumption in
> create_digest_dir_config(). The crash does not happen if I remove these lines:
> 
> --- a/modules/aaa/mod_auth_digest.c
> +++ b/modules/aaa/mod_auth_digest.c
> @@ -454,10 +454,6 @@ static void *create_digest_dir_config(apr_pool_t *p, char
> *dir)
>  {
>      digest_config_rec *conf;
> 
> -    if (dir == NULL) {
> -        return NULL;
> -    }
> -
>      conf = (digest_config_rec *) apr_pcalloc(p, sizeof(digest_config_rec));
>      if (conf) {
>          conf->qop_list       = apr_palloc(p, sizeof(char*));
> 
> 
> I haven't tested if this makes AuthnProviderAlias actually work, though. Can
> you try it?


Yes, I tried. Now there's no segfault any more.
But actually directives like AuthName and AuthType has no effect in the <AuthnProviderAlias> block.
Comment 4 Tianyin Xu 2012-03-12 10:02:03 UTC
(In reply to comment #2)
> It seems AuthnProviderAlias breaks some assumption in
> create_digest_dir_config(). The crash does not happen if I remove these lines:
> 
> --- a/modules/aaa/mod_auth_digest.c
> +++ b/modules/aaa/mod_auth_digest.c
> @@ -454,10 +454,6 @@ static void *create_digest_dir_config(apr_pool_t *p, char
> *dir)
>  {
>      digest_config_rec *conf;
> 
> -    if (dir == NULL) {
> -        return NULL;
> -    }
> -
>      conf = (digest_config_rec *) apr_pcalloc(p, sizeof(digest_config_rec));
>      if (conf) {
>          conf->qop_list       = apr_palloc(p, sizeof(char*));
> 
> 
> I haven't tested if this makes AuthnProviderAlias actually work, though. Can
> you try it?

by the way, could you also explain a little bit about the problem?
thanks a lot!
Comment 5 Stefan Fritsch 2012-03-12 19:44:30 UTC
mod_auth_digest tries to avoid allocating memory for its own config struct in global server context because AuthDigestShmemSize, which is its only directive allowed in that context, doesn't need the struct. This optimization breaks with AuthnProviderAlias.

I don't know yet if the correct fix is to make AuthnProviderAlias simulate per-directory context, or if mod_auth_digest should be changed to either not make that optimization, or to detect global server context in a different way.

Also, I am not familiar enough with AuthnProviderAlias to say if it should support AuthName and AuthType. If yes, then this is probably a different bug than the segfault. If no, AuthnProviderAlias should log an error if these directives are used. Maybe someone more familiar with AuthnProviderAlias could comment?
Comment 6 Tianyin Xu 2012-03-13 00:28:50 UTC
(In reply to comment #5)
> mod_auth_digest tries to avoid allocating memory for its own config struct in
> global server context because AuthDigestShmemSize, which is its only directive
> allowed in that context, doesn't need the struct. This optimization breaks with
> AuthnProviderAlias.
> 
> I don't know yet if the correct fix is to make AuthnProviderAlias simulate
> per-directory context, or if mod_auth_digest should be changed to either not
> make that optimization, or to detect global server context in a different way.
> 

Vielen Dank, Stefan!

I will take a look at this issue. Your information is helpful.

> Also, I am not familiar enough with AuthnProviderAlias to say if it should
> support AuthName and AuthType. If yes, then this is probably a different bug
> than the segfault. If no, AuthnProviderAlias should log an error if these
> directives are used. Maybe someone more familiar with AuthnProviderAlias could
> comment?

Hmmm... this should not be a big thing. There are already too many silent behavior in current Apache :P
Comment 7 Cedric 2019-03-07 13:14:53 UTC
Seems to have reproduced the crash with the following configuration .

<AuthnProviderAlias ldap world_company >
        AuthName "LDAP_world_company"
        AuthLDAPBindDN "CN=xxx xxx,OU=yyy,OU=zzz,OU=People,DC=company,DC=world"
        AuthLDAPBindPassword "c0ma!"
        AuthLDAPURL ldap://*****:389/****?sAMAccountName
        Require valid-user
</AuthnProviderAlias>


I hardly managed to get the following stack trace:

#0  0x00007ffff7c00a30 in set_realm (cmd=<optimized out>, config=0x0, realm=0x7ffff43485b8 "LDAP_world_company") at mod_auth_digest.c:493
#1  0x00005555555ae3e2 in invoke_cmd (cmd=0x7ffff7c07a00 <digest_cmds>, parms=parms@entry=0x7fffffffd030, mconfig=0x0, args=<optimized out>) at config.c:928
#2  0x00005555555b0a69 in ap_walk_config_sub (section_vector=0x7ffff4348410, parms=0x7fffffffd030, current=0x7ffff436b398) at config.c:1339
#3  ap_walk_config (current=0x7ffff436b398, parms=parms@entry=0x7fffffffd030, section_vector=section_vector@entry=0x7ffff4348410) at config.c:1372
#4  0x00007ffff7bf876f in authaliassection (cmd=0x7fffffffd030, mconfig=<optimized out>, arg=0x7ffff436b380 "ldap world_company >") at mod_authn_core.c:257
#5  0x00005555555ae2af in invoke_cmd (cmd=0x7ffff7bfac90 <authn_cmds+80>, parms=parms@entry=0x7fffffffd030, mconfig=0x7ffff7bfd448, args=<optimized out>)
    at config.c:895
#6  0x00005555555b0a69 in ap_walk_config_sub (section_vector=0x7ffff7c25540, parms=0x7fffffffd030, current=0x7ffff436b338) at config.c:1339
#7  ap_walk_config (current=0x7ffff436b338, parms=parms@entry=0x7fffffffd030, section_vector=0x7ffff7c25540) at config.c:1372
#8  0x00005555555b1ec5 in ap_process_config_tree (s=<optimized out>, conftree=<optimized out>, p=0x7ffff7fc6028, ptemp=<optimized out>) at config.c:2156
#9  0x000055555558abfa in main (argc=<optimized out>, argv=<optimized out>) at main.c:686


Vars at #3:

(gdb) info args
current = 0x7ffff436b340
parms = 0x7fffffffd030
section_vector = 0x7ffff4348400
(gdb) print *current
$9 = {
  directive = 0x7ffff7bf9090 "AuthName", 
  args = 0x7ffff436b388 "\"LDAP_world_company\"", 
  next = 0x7ffff436b398, 
  first_child = 0x0, 
  parent = 0x7ffff436b2e0, 
  data = 0x0, 
  filename = 0x7ffff436b058 "/etc/apache2/sites-enabled/world-company-site.conf", 
  line_num = 25, 
  last = 0x0
}
(gdb) print *parms
$10 = {
  info = 0x0, 
  override = 72, 
  override_opts = 239, 
  override_list = 0x0, 
  limited = -1, 
  limited_xmethods = 0x0, 
  xlimited = 0x0, 
  config_file = 0x0, 
  directive = 0x7ffff436b340, 
  pool = 0x7ffff7fc6028, 
  temp_pool = 0x7ffff7c26028, 
  server = 0x7ffff7c28ac0, 
  path = 0x0, 
  cmd = 0x7ffff7c07a00 <digest_cmds>, 
  context = 0x7ffff4348400, 
  err_directive = 0x0
}

Server version: Apache/2.4.34 (Ubuntu)
Server built:   2018-10-03T13:57:22