Created attachment 30605 [details] httpd config discovered in 2.2.23-1.fc17 repleatabe in apache-2.4.4 (compiled from source) #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164 No locals. #1 0x00007f70f6a55b04 in authenticate_digest_user (r=0x7f70dc006990) at mod_auth_digest.c:1837 conf = 0x7f70dc00bbe0 resp = 0x7f70dc007f40 mainreq = 0x7f70dc006990 t = 0x7f70dc003df8 "Digest" res = 0 return_code = AUTH_DENIED #2 0x000000000044624c in ap_run_check_user_id (r=0x7f70dc006990) at request.c:79 pHook = 0x13da168 n = 2 rv = -1 #3 0x000000000044752c in ap_process_request_internal (r=0x7f70dc006990) at request.c:233 file_req = 0 access_status = -1 d = 0x7f70dc00bf18 #4 0x000000000046e3b8 in ap_process_async_request (r=0x7f70dc006990) at http_request.c:315 c = 0x7f70ec003250 access_status = -1 #5 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f70ec003250) at http_core.c:143 r = 0x7f70dc006990 cs = 0x7f70ec003228 #6 0x000000000046aac5 in ap_process_http_connection (c=0x7f70ec003250) at http_core.c:228 No locals. #7 0x000000000045fb75 in ap_run_process_connection (c=0x7f70ec003250) at connection.c:41 pHook = 0x13d9eb0 n = 1 rv = -1 #8 0x0000000000478ac9 in process_socket (thd=0x137dff0, p=0x7f70ec002f58, sock=0x7f70ec002fd0, cs=0x7f70ec0031d8, my_child_num=1, my_thread_num=1) at event.c:964 c = 0x7f70ec003250 conn_id = 65 rc = 32624 sbh = 0x7f70ec0038c8 #9 0x000000000047b0b7 in worker_thread (thd=0x137dff0, dummy=0x7f70ec000a10) at event.c:1812 ti = 0x7f70ec000a10 process_slot = 1 thread_slot = 1 csd = 0x7f70ec002fd0 cs = 0x7f70ec0031d8 ptrans = 0x7f70ec002f58 rv = 0 is_idle = 0 te = 0x0 #10 0x0000003d75207d14 in start_thread (arg=0x7f70f35b5700) at pthread_create.c:309 __res = <optimized out> pd = 0x7f70f35b5700 now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140123095914240, -3354921391018301741, 0, 263947681792, 140123095914240, 0, 3427532282626221779, -3383884997834266925}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0 pagesize_m1 = <optimized out> sp = <optimized out> freesize = <optimized out> #11 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Triggered with wget --http-user='username' --http-password='password' -S http://localhost:801/digest/qop_none -O /dev/nul
Created attachment 30606 [details] .htaccess files in webroot
Also was able to generate a segv by having the following directory and file in the digest directory: digest $ more nc/.htaccess AuthDigestNcCheck on wget --http-user='username' --http-password='password' -S http://localhost:801/digest/nc/index.html -O /dev/null ==> /usr/local/apache2/logs/error_log <== [Sun Jul 21 20:34:21.542949 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5499 exit signal Segmentation fault (11) [Sun Jul 21 20:34:22.544945 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5501 exit signal Segmentation fault (11) [Sun Jul 21 20:34:24.547243 2013] [core:notice] [pid 5498:tid 140470958016384] AH00052: child pid 5500 exit signal Segmentation fault (11)
Next segfault: digest_onetime.tar and the script digest.py Core was generated by `/usr/local/apache2/bin/httpd -k start'. Program terminated with signal 8, Arithmetic exception. #0 0x00007f3bfab91ad2 in add_client (key=9, info=0x7f3bf6ef2950, s=0x1f0c888) at mod_auth_digest.c:859 859 bucket = key % client_list->tbl_len; Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64 (gdb) bt #0 0x00007f3bfab91ad2 in add_client (key=9, info=0x7f3bf6ef2950, s=0x1f0c888) at mod_auth_digest.c:859 #1 0x00007f3bfab929db in gen_client (r=0x7f3be000c9c0) at mod_auth_digest.c:1151 #2 0x00007f3bfab92e13 in note_digest_auth_failure (r=0x7f3be000c9c0, conf=0x7f3be0004268, resp=0x7f3be000e4f0, stale=0) at mod_auth_digest.c:1298 #3 0x00007f3bfab94c39 in authenticate_digest_user (r=0x7f3be000c9c0) at mod_auth_digest.c:1847 #4 0x000000000044624c in ap_run_check_user_id (r=0x7f3be000c9c0) at request.c:79 #5 0x000000000044752c in ap_process_request_internal (r=0x7f3be000c9c0) at request.c:233 #6 0x000000000046e3b8 in ap_process_async_request (r=0x7f3be000c9c0) at http_request.c:315 #7 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f3bf0003220) at http_core.c:143 #8 0x000000000046aac5 in ap_process_http_connection (c=0x7f3bf0003220) at http_core.c:228 #9 0x000000000045fb75 in ap_run_process_connection (c=0x7f3bf0003220) at connection.c:41 #10 0x0000000000478ac9 in process_socket (thd=0x1eb1ba0, p=0x7f3bf0002f18, sock=0x7f3bf0002fa0, cs=0x7f3bf00031a8, my_child_num=3, my_thread_num=2) at event.c:964 #11 0x000000000047b0b7 in worker_thread (thd=0x1eb1ba0, dummy=0x7f3bf00008c0) at event.c:1812 #12 0x0000003d75207d14 in start_thread (arg=0x7f3bf6ef3700) at pthread_create.c:309 #13 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Created attachment 30638 [details] webroot files - digest_onetime
Created attachment 30639 [details] python script for triggering faults - requires python-requests
Changing AuthDigestNonceLifetime to 10 in the digest_onetime/.htaccess file generated the following seg fault (still apache-2.4.4). [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/apache2/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 0x00007f3bfab91d58 in add_client (key=6, info=0x7f3beaff4950, s=0x1ef32e8) at mod_auth_digest.c:887 887 entry->next = client_list->table[bucket]; Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64 (gdb) bt #0 0x00007f3bfab91d58 in add_client (key=6, info=0x7f3beaff4950, s=0x1ef32e8) at mod_auth_digest.c:887 #1 0x00007f3bfab929db in gen_client (r=0x7f3bd8002970) at mod_auth_digest.c:1151 #2 0x00007f3bfab92e13 in note_digest_auth_failure (r=0x7f3bd8002970, conf=0x7f3bd80082f8, resp=0x7f3bd80044a0, stale=0) at mod_auth_digest.c:1298 #3 0x00007f3bfab94c39 in authenticate_digest_user (r=0x7f3bd8002970) at mod_auth_digest.c:1847 #4 0x000000000044624c in ap_run_check_user_id (r=0x7f3bd8002970) at request.c:79 #5 0x000000000044752c in ap_process_request_internal (r=0x7f3bd8002970) at request.c:233 #6 0x000000000046e3b8 in ap_process_async_request (r=0x7f3bd8002970) at http_request.c:315 #7 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f3bf00054a0) at http_core.c:143 #8 0x000000000046aac5 in ap_process_http_connection (c=0x7f3bf00054a0) at http_core.c:228 #9 0x000000000045fb75 in ap_run_process_connection (c=0x7f3bf00054a0) at connection.c:41 #10 0x0000000000478ac9 in process_socket (thd=0x1e7a470, p=0x7f3bf0005198, sock=0x7f3bf0005220, cs=0x7f3bf0005428, my_child_num=2, my_thread_num=17) at event.c:964 #11 0x000000000047b0b7 in worker_thread (thd=0x1e7a470, dummy=0x7f3bf00019b0) at event.c:1812 #12 0x0000003d75207d14 in start_thread (arg=0x7f3beaff5700) at pthread_create.c:309 #13 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
log message to previous: ==> /usr/local/apache2/logs/error_log <== [Mon Jul 29 10:22:14.356396 2013] [auth_digest:error] [pid 1707:tid 139895322400512] [client 127.0.0.1:60007] AH01787: received invalid opaque - got `' [Mon Jul 29 10:22:14.561615 2013] [core:notice] [pid 7872:tid 139895619991424] AH00051: child pid 1707 exit signal Segmentation fault (11), possible coredump in /tmp
Can you try this patch and verify whether it works? Index: modules/aaa/mod_auth_digest.c =================================================================== --- modules/aaa/mod_auth_digest.c (revision 1506737) +++ modules/aaa/mod_auth_digest.c (working copy) @@ -1691,7 +1691,15 @@ return HTTP_UNAUTHORIZED; } - if (strcmp(resp->realm, conf->realm)) { + if (!conf->realm) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02486) + "realm mismatch - got `%s' but no realm specified", + resp->realm); + note_digest_auth_failure(r, conf, resp, 0); + return HTTP_UNAUTHORIZED; + } + + if (!resp->realm || strcmp(resp->realm, conf->realm)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01788) "realm mismatch - got `%s' but expected `%s'", resp->realm, conf->realm);
(In reply to Graham Leggett from comment #8) > Can you try this patch and verify whether it works? > It did fix wget --http-user='username' --http-password='password' -S http://localhost:801/digest/qop_none -O /dev/null Unfixed is (apache2.4.4 only): wget --http-user='username' --http-password='password' -S http://localhost:801/digest/nc/index.html -O /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/apache2/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 __GI_____strtol_l_internal (nptr=0x0, endptr=0x7f9be6ff4a58, base=16, group=<optimized out>, loc=0x3d74db1020) at ../stdlib/strtol_l.c:298 298 while (ISSPACE (*s)) Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64 (gdb) bt #0 __GI_____strtol_l_internal (nptr=0x0, endptr=0x7f9be6ff4a58, base=16, group=<optimized out>, loc=0x3d74db1020) at ../stdlib/strtol_l.c:298 #1 0x00007f9bf3bfc47e in check_nc (r=0x7f9bd80089a0, resp=0x7f9bd8009f60, conf=0x7f9bd800be78) at mod_auth_digest.c:1495 #2 0x00007f9bf3bfe362 in authenticate_digest_user (r=0x7f9bd80089a0) at mod_auth_digest.c:1949 #3 0x000000000044624c in ap_run_check_user_id (r=0x7f9bd80089a0) at request.c:79 #4 0x000000000044752c in ap_process_request_internal (r=0x7f9bd80089a0) at request.c:233 #5 0x000000000046e3b8 in ap_process_async_request (r=0x7f9bd80089a0) at http_request.c:315 #6 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f9bec003520) at http_core.c:143 #7 0x000000000046aac5 in ap_process_http_connection (c=0x7f9bec003520) at http_core.c:228 #8 0x000000000045fb75 in ap_run_process_connection (c=0x7f9bec003520) at connection.c:41 #9 0x0000000000478ac9 in process_socket (thd=0x26ac1d0, p=0x7f9bec003218, sock=0x7f9bec0032a0, cs=0x7f9bec0034a8, my_child_num=0, my_thread_num=11) at event.c:964 #10 0x000000000047b0b7 in worker_thread (thd=0x26ac1d0, dummy=0x7f9bec001730) at event.c:1812 #11 0x0000003d75207d14 in start_thread (arg=0x7f9be6ff5700) at pthread_create.c:309 #12 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 (gdb) up #1 0x00007f9bf3bfc47e in check_nc (r=0x7f9bd80089a0, resp=0x7f9bd8009f60, conf=0x7f9bd800be78) at mod_auth_digest.c:1495 1495 nc = strtol(snc, &endptr, 16); (gdb) list 1490 } 1491 /* qop is none, cannot check nonce count */ 1492 return OK; 1493 } 1494 1495 nc = strtol(snc, &endptr, 16); 1496 if (endptr < (snc+strlen(snc)) && !apr_isspace(*endptr)) { 1497 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01773) 1498 "invalid nc %s received - not a number", snc); 1499 return !OK; GET http://localhost:801/digest/ with the following headers failed {'Content-Length': '0', 'Authorization': '\n Digest username="username",\n algorithm="MD5",\n realm="digest private area",\n uri="/digest/",\n nonce="2mVN7K7iBAA=7b1dbe7c698f1691a19944afebef1c40b7e9e024",\n cnonce="",\n nc="",\n qop=auth,\n response="b30e94d7c2a265c8db99ea33ec2de3b2"\n '} This occurred after editing /var/www/html/digest_onetime/.htaccess to: AuthType Digest AuthName "digest private area" AuthDigestDomain /digest_onetime/ AuthBasicProvider file AuthUserFile /var/www/html/digest_onetime/.htpasswd AuthDigestNonceLifetime 10 Require valid-user It looks like come configs here are more global or at least not cascaded right. I'll tar up the entire webroot just to be sure. with the following core dump. Core was generated by `/usr/local/apache2/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 0x00007f9bf3bfad58 in add_client (key=6, info=0x7f9be77f5560, s=0x26a9508) at mod_auth_digest.c:887 887 entry->next = client_list->table[bucket]; Missing separate debuginfos, use: debuginfo-install apr-1.4.6-1.fc17.x86_64 apr-util-1.4.1-2.fc17.x86_64 db4-4.8.30-10.fc17.x86_64 expat-2.1.0-3.1.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libuuid-2.21.2-4.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 nss-softokn-freebl-3.14.3-1.fc17.x86_64 pcre-8.21-7.fc17.x86_64 (gdb) list 882 883 /* now add the entry */ 884 885 memcpy(entry, info, sizeof(client_entry)); 886 entry->key = key; 887 entry->next = client_list->table[bucket]; 888 client_list->table[bucket] = entry; 889 client_list->num_created++; 890 client_list->num_entries++; 891 (gdb) bt #0 0x00007f9bf3bfad58 in add_client (key=6, info=0x7f9be77f5560, s=0x26a9508) at mod_auth_digest.c:887 #1 0x00007f9bf3bfb9db in gen_client (r=0x7f9bd4008990) at mod_auth_digest.c:1151 #2 0x00007f9bf3bfbda3 in note_digest_auth_failure (r=0x7f9bd4008990, conf=0x7f9bd400be88, resp=0x7f9bd8008470, stale=0) at mod_auth_digest.c:1289 #3 0x00007f9bf3bfe382 in authenticate_digest_user (r=0x7f9bd4008990) at mod_auth_digest.c:1950 #4 0x000000000044624c in ap_run_check_user_id (r=0x7f9bd4008990) at request.c:79 #5 0x000000000044752c in ap_process_request_internal (r=0x7f9bd4008990) at request.c:233 #6 0x000000000044b602 in ap_sub_req_lookup_dirent (dirent=0x7f9be77f5a00, r=0x7f9bd8006990, subtype=0, next_filter=0x0) at request.c:2182 #7 0x00007f9bf23c5990 in make_autoindex_entry (dirent=0x7f9be77f5a00, autoindex_opts=1048576, d=0x26fc4d8, r=0x7f9bd8006990, keyid=78 'N', direction=65 'A', pattern=0x0) at mod_autoindex.c:1335 #8 0x00007f9bf23c8757 in index_directory (r=0x7f9bd8006990, autoindex_conf=0x26fc4d8) at mod_autoindex.c:2238 #9 0x00007f9bf23c89c7 in handle_autoindex (r=0x7f9bd8006990) at mod_autoindex.c:2308 #10 0x000000000045299e in ap_run_handler (r=0x7f9bd8006990) at config.c:169 #11 0x00000000004532ec in ap_invoke_handler (r=0x7f9bd8006990) at config.c:432 #12 0x000000000046e3cd in ap_process_async_request (r=0x7f9bd8006990) at http_request.c:317 #13 0x000000000046a8d9 in ap_process_http_async_connection (c=0x7f9bec003240) at http_core.c:143 #14 0x000000000046aac5 in ap_process_http_connection (c=0x7f9bec003240) at http_core.c:228 #15 0x000000000045fb75 in ap_run_process_connection (c=0x7f9bec003240) at connection.c:41 #16 0x0000000000478ac9 in process_socket (thd=0x26ac1a0, p=0x7f9bec002f38, sock=0x7f9bec002fc0, cs=0x7f9bec0031c8, my_child_num=1, my_thread_num=10) at event.c:964 #17 0x000000000047b0b7 in worker_thread (thd=0x26ac1a0, dummy=0x7f9bec0008c0) at event.c:1812 #18 0x0000003d75207d14 in start_thread (arg=0x7f9be77f6700) at pthread_create.c:309 #19 0x0000003d74af168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Created attachment 30648 [details] webroot files (all)
note the last still failing case in comment 10 is very close to bug #55286
Could be a dup of bug 60075. At least, add_client(...) looks involved in both cases.