Bug 55284 - repeatable segv
Summary: repeatable segv
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_digest (show other bugs)
Version: 2.4.4
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2013-07-20 11:14 UTC by Daniel Black
Modified: 2018-08-03 20:13 UTC (History)
0 users



Attachments
httpd config (18.58 KB, text/plain)
2013-07-20 11:14 UTC, Daniel Black
Details
.htaccess files in webroot (10.00 KB, application/x-tar)
2013-07-20 11:15 UTC, Daniel Black
Details
webroot files - digest_onetime (10.00 KB, application/x-tar)
2013-07-29 00:10 UTC, Daniel Black
Details
python script for triggering faults - requires python-requests (4.16 KB, text/x-python)
2013-07-29 00:11 UTC, Daniel Black
Details
webroot files (all) (40.00 KB, application/x-tar)
2013-07-29 23:40 UTC, Daniel Black
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Black 2013-07-20 11:14:31 UTC
Created attachment 30605 [details]
httpd config

discovered in 2.2.23-1.fc17
repleatabe in apache-2.4.4 (compiled from source)


#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
No locals.
#1  0x00007f70f6a55b04 in authenticate_digest_user (r=0x7f70dc006990) at mod_auth_digest.c:1837
        conf = 0x7f70dc00bbe0
        resp = 0x7f70dc007f40
        mainreq = 0x7f70dc006990
        t = 0x7f70dc003df8 "Digest"
        res = 0
        return_code = AUTH_DENIED
#2  0x000000000044624c in ap_run_check_user_id (r=0x7f70dc006990) at request.c:79
        pHook = 0x13da168
        n = 2
        rv = -1
#3  0x000000000044752c in ap_process_request_internal (r=0x7f70dc006990) at request.c:233
        file_req = 0
        access_status = -1
        d = 0x7f70dc00bf18
#4  0x000000000046e3b8 in ap_process_async_request (r=0x7f70dc006990) at http_request.c:315
        c = 0x7f70ec003250
        access_status = -1
#5  0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f70ec003250) at http_core.c:143
        r = 0x7f70dc006990
        cs = 0x7f70ec003228
#6  0x000000000046aac5 in ap_process_http_connection (c=0x7f70ec003250) at http_core.c:228
No locals.
#7  0x000000000045fb75 in ap_run_process_connection (c=0x7f70ec003250) at connection.c:41
        pHook = 0x13d9eb0
        n = 1
        rv = -1
#8  0x0000000000478ac9 in process_socket (thd=0x137dff0, p=0x7f70ec002f58, sock=0x7f70ec002fd0, cs=0x7f70ec0031d8, my_child_num=1, 
    my_thread_num=1) at event.c:964
        c = 0x7f70ec003250
        conn_id = 65
        rc = 32624
        sbh = 0x7f70ec0038c8
#9  0x000000000047b0b7 in worker_thread (thd=0x137dff0, dummy=0x7f70ec000a10) at event.c:1812
        ti = 0x7f70ec000a10
        process_slot = 1
        thread_slot = 1
        csd = 0x7f70ec002fd0
        cs = 0x7f70ec0031d8
        ptrans = 0x7f70ec002f58
        rv = 0
        is_idle = 0
        te = 0x0
#10 0x0000003d75207d14 in start_thread (arg=0x7f70f35b5700) at pthread_create.c:309
        __res = <optimized out>
        pd = 0x7f70f35b5700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140123095914240, -3354921391018301741, 0, 263947681792, 140123095914240, 0, 
                3427532282626221779, -3383884997834266925}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#11 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115


Triggered with  wget --http-user='username' --http-password='password' -S  http://localhost:801/digest/qop_none -O /dev/nul
Comment 1 Daniel Black 2013-07-20 11:15:10 UTC
Created attachment 30606 [details]
.htaccess files in webroot
Comment 2 Daniel Black 2013-07-21 10:39:04 UTC
Also was able to generate a segv by having the following directory and file in the digest directory:

digest $ more nc/.htaccess 
AuthDigestNcCheck on


wget --http-user='username' --http-password='password' -S http://localhost:801/digest/nc/index.html -O /dev/null

==> /usr/local/apache2/logs/error_log <==
[Sun Jul 21 20:34:21.542949 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5499 exit signal Segmentation fault (11)
[Sun Jul 21 20:34:22.544945 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5501 exit signal Segmentation fault (11)
[Sun Jul 21 20:34:24.547243 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5500 exit signal Segmentation fault (11)
Comment 3 Daniel Black 2013-07-29 00:09:56 UTC
Next segfault: digest_onetime.tar and the script digest.py

Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 8, Arithmetic exception.
#0  0x00007f3bfab91ad2 in add_client (key=9, info=0x7f3bf6ef2950, s=0x1f0c888) at mod_auth_digest.c:859
859         bucket = key % client_list->tbl_len;
Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64
(gdb) bt
#0  0x00007f3bfab91ad2 in add_client (key=9, info=0x7f3bf6ef2950, s=0x1f0c888) at mod_auth_digest.c:859
#1  0x00007f3bfab929db in gen_client (r=0x7f3be000c9c0) at mod_auth_digest.c:1151
#2  0x00007f3bfab92e13 in note_digest_auth_failure (r=0x7f3be000c9c0, conf=0x7f3be0004268, resp=0x7f3be000e4f0, stale=0) at mod_auth_digest.c:1298
#3  0x00007f3bfab94c39 in authenticate_digest_user (r=0x7f3be000c9c0) at mod_auth_digest.c:1847
#4  0x000000000044624c in ap_run_check_user_id (r=0x7f3be000c9c0) at request.c:79
#5  0x000000000044752c in ap_process_request_internal (r=0x7f3be000c9c0) at request.c:233
#6  0x000000000046e3b8 in ap_process_async_request (r=0x7f3be000c9c0) at http_request.c:315
#7  0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f3bf0003220) at http_core.c:143
#8  0x000000000046aac5 in ap_process_http_connection (c=0x7f3bf0003220) at http_core.c:228
#9  0x000000000045fb75 in ap_run_process_connection (c=0x7f3bf0003220) at connection.c:41
#10 0x0000000000478ac9 in process_socket (thd=0x1eb1ba0, p=0x7f3bf0002f18, sock=0x7f3bf0002fa0, cs=0x7f3bf00031a8, my_child_num=3, my_thread_num=2)
    at event.c:964
#11 0x000000000047b0b7 in worker_thread (thd=0x1eb1ba0, dummy=0x7f3bf00008c0) at event.c:1812
#12 0x0000003d75207d14 in start_thread (arg=0x7f3bf6ef3700) at pthread_create.c:309
#13 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 4 Daniel Black 2013-07-29 00:10:39 UTC
Created attachment 30638 [details]
webroot files - digest_onetime
Comment 5 Daniel Black 2013-07-29 00:11:53 UTC
Created attachment 30639 [details]
python script for triggering faults - requires python-requests
Comment 6 Daniel Black 2013-07-29 00:24:55 UTC
Changing AuthDigestNonceLifetime to 10 in the digest_onetime/.htaccess file generated the following seg fault (still apache-2.4.4).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f3bfab91d58 in add_client (key=6, info=0x7f3beaff4950, s=0x1ef32e8) at mod_auth_digest.c:887
887         entry->next = client_list->table[bucket];
Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64
(gdb) bt
#0  0x00007f3bfab91d58 in add_client (key=6, info=0x7f3beaff4950, s=0x1ef32e8) at mod_auth_digest.c:887
#1  0x00007f3bfab929db in gen_client (r=0x7f3bd8002970) at mod_auth_digest.c:1151
#2  0x00007f3bfab92e13 in note_digest_auth_failure (r=0x7f3bd8002970, conf=0x7f3bd80082f8, resp=0x7f3bd80044a0, stale=0) at mod_auth_digest.c:1298
#3  0x00007f3bfab94c39 in authenticate_digest_user (r=0x7f3bd8002970) at mod_auth_digest.c:1847
#4  0x000000000044624c in ap_run_check_user_id (r=0x7f3bd8002970) at request.c:79
#5  0x000000000044752c in ap_process_request_internal (r=0x7f3bd8002970) at request.c:233
#6  0x000000000046e3b8 in ap_process_async_request (r=0x7f3bd8002970) at http_request.c:315
#7  0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f3bf00054a0) at http_core.c:143
#8  0x000000000046aac5 in ap_process_http_connection (c=0x7f3bf00054a0) at http_core.c:228
#9  0x000000000045fb75 in ap_run_process_connection (c=0x7f3bf00054a0) at connection.c:41
#10 0x0000000000478ac9 in process_socket (thd=0x1e7a470, p=0x7f3bf0005198, sock=0x7f3bf0005220, cs=0x7f3bf0005428, my_child_num=2, my_thread_num=17)
    at event.c:964
#11 0x000000000047b0b7 in worker_thread (thd=0x1e7a470, dummy=0x7f3bf00019b0) at event.c:1812
#12 0x0000003d75207d14 in start_thread (arg=0x7f3beaff5700) at pthread_create.c:309
#13 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 7 Daniel Black 2013-07-29 00:26:15 UTC
log message to previous:

==> /usr/local/apache2/logs/error_log <==
[Mon Jul 29 10:22:14.356396 2013] [auth_digest:error] [pid 1707:tid 139895322400512] [client 127.0.0.1:60007] AH01787: received invalid opaque - got `'
[Mon Jul 29 10:22:14.561615 2013] [core:notice] [pid 7872:tid 139895619991424] AH00051: child pid 1707 exit signal Segmentation fault (11), possible coredump in /tmp
Comment 8 Graham Leggett 2013-07-29 17:05:25 UTC
Can you try this patch and verify whether it works?

Index: modules/aaa/mod_auth_digest.c
===================================================================
--- modules/aaa/mod_auth_digest.c	(revision 1506737)
+++ modules/aaa/mod_auth_digest.c	(working copy)
@@ -1691,7 +1691,15 @@
         return HTTP_UNAUTHORIZED;
     }
 
-    if (strcmp(resp->realm, conf->realm)) {
+    if (!conf->realm) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02486)
+                      "realm mismatch - got `%s' but no realm specified",
+                      resp->realm);
+        note_digest_auth_failure(r, conf, resp, 0);
+        return HTTP_UNAUTHORIZED;
+    }
+
+    if (!resp->realm || strcmp(resp->realm, conf->realm)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01788)
                       "realm mismatch - got `%s' but expected `%s'",
                       resp->realm, conf->realm);
Comment 9 Daniel Black 2013-07-29 23:39:06 UTC
(In reply to Graham Leggett from comment #8)
> Can you try this patch and verify whether it works?
> 

It did fix  wget --http-user='username' --http-password='password' -S  http://localhost:801/digest/qop_none -O /dev/null


Unfixed is (apache2.4.4 only):

wget --http-user='username' --http-password='password' -S http://localhost:801/digest/nc/index.html -O /dev/null

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x7f9be6ff4a58, base=16, group=<optimized out>, loc=0x3d74db1020) at ../stdlib/strtol_l.c:298
298       while (ISSPACE (*s))
Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64
(gdb) bt
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x7f9be6ff4a58, base=16, group=<optimized out>, loc=0x3d74db1020) at ../stdlib/strtol_l.c:298
#1  0x00007f9bf3bfc47e in check_nc (r=0x7f9bd80089a0, resp=0x7f9bd8009f60, conf=0x7f9bd800be78) at mod_auth_digest.c:1495
#2  0x00007f9bf3bfe362 in authenticate_digest_user (r=0x7f9bd80089a0) at mod_auth_digest.c:1949
#3  0x000000000044624c in ap_run_check_user_id (r=0x7f9bd80089a0) at request.c:79
#4  0x000000000044752c in ap_process_request_internal (r=0x7f9bd80089a0) at request.c:233
#5  0x000000000046e3b8 in ap_process_async_request (r=0x7f9bd80089a0) at http_request.c:315
#6  0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f9bec003520) at http_core.c:143
#7  0x000000000046aac5 in ap_process_http_connection (c=0x7f9bec003520) at http_core.c:228
#8  0x000000000045fb75 in ap_run_process_connection (c=0x7f9bec003520) at connection.c:41
#9  0x0000000000478ac9 in process_socket (thd=0x26ac1d0, p=0x7f9bec003218, sock=0x7f9bec0032a0, cs=0x7f9bec0034a8, my_child_num=0, my_thread_num=11)
    at event.c:964
#10 0x000000000047b0b7 in worker_thread (thd=0x26ac1d0, dummy=0x7f9bec001730) at event.c:1812
#11 0x0000003d75207d14 in start_thread (arg=0x7f9be6ff5700) at pthread_create.c:309
#12 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) up
#1  0x00007f9bf3bfc47e in check_nc (r=0x7f9bd80089a0, resp=0x7f9bd8009f60, conf=0x7f9bd800be78) at mod_auth_digest.c:1495
1495        nc = strtol(snc, &endptr, 16);
(gdb) list
1490            }
1491            /* qop is none, cannot check nonce count */
1492            return OK;
1493        }
1494
1495        nc = strtol(snc, &endptr, 16);
1496        if (endptr < (snc+strlen(snc)) && !apr_isspace(*endptr)) {
1497            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01773)
1498                          "invalid nc %s received - not a number", snc);
1499            return !OK;



GET http://localhost:801/digest/
with the following headers failed {'Content-Length': '0', 'Authorization': '\n        Digest username="username",\n        algorithm="MD5",\n        realm="digest private area",\n        uri="/digest/",\n        nonce="2mVN7K7iBAA=7b1dbe7c698f1691a19944afebef1c40b7e9e024",\n        cnonce="",\n        nc="",\n        qop=auth,\n        response="b30e94d7c2a265c8db99ea33ec2de3b2"\n    '}

This occurred after editing /var/www/html/digest_onetime/.htaccess to:
AuthType Digest
AuthName "digest private area"
AuthDigestDomain /digest_onetime/
AuthBasicProvider file
AuthUserFile /var/www/html/digest_onetime/.htpasswd
AuthDigestNonceLifetime 10
Require valid-user

It looks like come configs here are more global or at least not cascaded right. I'll tar up the entire webroot just to be sure.

with the following core dump.

Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f9bf3bfad58 in add_client (key=6, info=0x7f9be77f5560, s=0x26a9508) at mod_auth_digest.c:887
887         entry->next = client_list->table[bucket];
Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64
(gdb) list
882
883         /* now add the entry */
884
885         memcpy(entry, info, sizeof(client_entry));
886         entry->key  = key;
887         entry->next = client_list->table[bucket];
888         client_list->table[bucket] = entry;
889         client_list->num_created++;
890         client_list->num_entries++;
891
(gdb) bt
#0  0x00007f9bf3bfad58 in add_client (key=6, info=0x7f9be77f5560, s=0x26a9508) at mod_auth_digest.c:887
#1  0x00007f9bf3bfb9db in gen_client (r=0x7f9bd4008990) at mod_auth_digest.c:1151
#2  0x00007f9bf3bfbda3 in note_digest_auth_failure (r=0x7f9bd4008990, conf=0x7f9bd400be88, resp=0x7f9bd8008470, stale=0) at mod_auth_digest.c:1289
#3  0x00007f9bf3bfe382 in authenticate_digest_user (r=0x7f9bd4008990) at mod_auth_digest.c:1950
#4  0x000000000044624c in ap_run_check_user_id (r=0x7f9bd4008990) at request.c:79
#5  0x000000000044752c in ap_process_request_internal (r=0x7f9bd4008990) at request.c:233
#6  0x000000000044b602 in ap_sub_req_lookup_dirent (dirent=0x7f9be77f5a00, r=0x7f9bd8006990, subtype=0, next_filter=0x0) at request.c:2182
#7  0x00007f9bf23c5990 in make_autoindex_entry (dirent=0x7f9be77f5a00, autoindex_opts=1048576, d=0x26fc4d8, r=0x7f9bd8006990, keyid=78 'N', 
    direction=65 'A', pattern=0x0) at mod_autoindex.c:1335
#8  0x00007f9bf23c8757 in index_directory (r=0x7f9bd8006990, autoindex_conf=0x26fc4d8) at mod_autoindex.c:2238
#9  0x00007f9bf23c89c7 in handle_autoindex (r=0x7f9bd8006990) at mod_autoindex.c:2308
#10 0x000000000045299e in ap_run_handler (r=0x7f9bd8006990) at config.c:169
#11 0x00000000004532ec in ap_invoke_handler (r=0x7f9bd8006990) at config.c:432
#12 0x000000000046e3cd in ap_process_async_request (r=0x7f9bd8006990) at http_request.c:317
#13 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f9bec003240) at http_core.c:143
#14 0x000000000046aac5 in ap_process_http_connection (c=0x7f9bec003240) at http_core.c:228
#15 0x000000000045fb75 in ap_run_process_connection (c=0x7f9bec003240) at connection.c:41
#16 0x0000000000478ac9 in process_socket (thd=0x26ac1a0, p=0x7f9bec002f38, sock=0x7f9bec002fc0, cs=0x7f9bec0031c8, my_child_num=1, my_thread_num=10)
    at event.c:964
#17 0x000000000047b0b7 in worker_thread (thd=0x26ac1a0, dummy=0x7f9bec0008c0) at event.c:1812
#18 0x0000003d75207d14 in start_thread (arg=0x7f9be77f6700) at pthread_create.c:309
#19 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 10 Daniel Black 2013-07-29 23:40:10 UTC
Created attachment 30648 [details]
webroot files (all)
Comment 11 Daniel Black 2013-07-29 23:50:32 UTC
note the last still failing case in comment 10 is very close to bug #55286
Comment 12 Christophe JAILLET 2018-08-03 20:13:08 UTC
Could be a dup of bug 60075.
At least, add_client(...) looks involved in both cases.