Bug 63083 - Spinning thread in ssl_io_input_read in ssl_engine_io.c against OpenSSL 1.1.1a
Summary: Spinning thread in ssl_io_input_read in ssl_engine_io.c against OpenSSL 1.1.1a
Status: RESOLVED DUPLICATE of bug 63052
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.37
Hardware: Other Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-17 13:30 UTC by martyn.shakespeare
Modified: 2019-01-17 13:33 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description martyn.shakespeare 2019-01-17 13:30:03 UTC
Apache 2.4.37 dynamically linked against OpenSSL 1.1.1a using worker MPM (default configuration).  Occurs on both Oracle Enterprise Linux 5 and OEL7.

Certain URLs from security scanner software (two seen so far, one appears to be for CVE-2017-5638, the other has mention of Python, from what I can see in the debugger) cause the thread to spin in function ssl_io_input_read in ssl_engine_io.c within the while(1) loop.  ssl_err=2 (SSL_ERROR_WANT_READ) and *len=0, so we loop forever back and forth from the SSL library.  No errors logged.

It would be helpful if e.g. the timeout values were checked in this loop so that this situation could be avoided.

I'll try to get exact details of what the security team are doing to provoke this and add later.

FWIW, a typical stack trace from the thread:
#0  0x00002ad77ea27355 in ssl_read_internal ()
   from /software/bea/openssl/1.1.1a/lib/libssl.so.1.1
No symbol table info available.
#1  0x00002ad77ea276e5 in SSL_read ()
   from /software/bea/openssl/1.1.1a/lib/libssl.so.1.1
No symbol table info available.
#2  0x00002ad77e7c6894 in ssl_io_input_read (inctx=0x16ac00e8,
    buf=0x16ac0130 "GET /np_handler/?OPERATION=get&PAGE=User&OUTER_TAB=tab_myshares&INNER_TAB=NONE&user=null&addr=IP360%22)%3B%60echo%20IP360%20Scan%60%3B%23 HTTP/1.0\r\n\r\n-Encoding: identity\r\nContent-Length: 83\r\nHost: 10."...,
    len=0x2ad79050feb8) at ssl_engine_io.c:673
        wanted = 8192
        bytes = 0
        rc = -1
#3  0x00002ad77e7c9b4b in ssl_io_input_getline (f=0x16ac2138, bb=0x16aa40f0,
    mode=<value optimized out>, block=<value optimized out>, readbytes=0)
    at ssl_engine_io.c:802
No locals.
#4  ssl_io_filter_input (f=0x16ac2138, bb=0x16aa40f0,
    mode=<value optimized out>, block=<value optimized out>, readbytes=0)
    at ssl_engine_io.c:1565
        status = 70023
        inctx = 0x167d4170
        start = 0x16ac0130 "GET /np_handler/?OPERATION=get&PAGE=User&OUTER_TAB=tab_myshares&INNER_TAB=NONE&user=null&addr=IP360%22)%3B%60echo%20IP360%20Scan%60%3B%23 HTTP/1.0\r\n\r\n-Encoding: identity\r\nContent-Length: 83\r\nHost: 10."...
        len = 0
        is_init = <value optimized out>
        bucket = <value optimized out>
#5  0x000000000043c2ed in ap_rgetline_core (s=0x16aa2c10, n=8192,
    read=0x2ad790510000, r=0x16aa2be0, flags=2, bb=0x16aa40f0)
    at protocol.c:246
        rv = 380251152
        e = <value optimized out>
        bytes_handled = 0
        current_alloc = 0
        pos = 0x166d3a58 "\270\067m\026"
        last_char = 0x0
        do_alloc = 1
        saw_eos = 0
        nospc_eol = 0
        saw_eol = 0
        saw_nospc = 0
#6  0x000000000043de07 in read_request_line (conn=0x166d3a58) at protocol.c:682
No locals.
#7  ap_read_request (conn=0x166d3a58) at protocol.c:1322
        r = 0x16aa2be0
        p = 0x16aa2b68
        expect = <value optimized out>
        access_status = <value optimized out>
        tmp_bb = 0x16aa40f0
        csd = <value optimized out>
        cur_timeout = <value optimized out>
#8  0x00000000004667a5 in ap_process_http_sync_connection (c=0x166d3a58)
    at http_core.c:192
No locals.
#9  ap_process_http_connection (c=0x166d3a58) at http_core.c:251
No locals.
#10 0x000000000045de2a in ap_run_process_connection (c=0x166d3a58)
    at connection.c:42
        n = 1
        rv = 8192
#11 0x0000000000470cd9 in process_socket (thd=0x1654b608,
    dummy=<value optimized out>) at worker.c:479
        current_conn = 0x166d3a58
        conn_id = 23
        sbh = 0x166d3a50
#12 worker_thread (thd=0x1654b608, dummy=<value optimized out>) at worker.c:808
        process_slot = 0
        thread_slot = 23
        csd = 0x166d3840
        bucket_alloc = 0x16a8e888
        last_ptrans = <value optimized out>
        ptrans = 0x166d37b8
        rv = <value optimized out>
        is_idle = <value optimized out>
#13 0x00000039a420683d in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#14 0x00000039a3ad518d in clone () from /lib64/libc.so.6
No symbol table info available.
Comment 1 Joe Orton 2019-01-17 13:33:40 UTC

*** This bug has been marked as a duplicate of bug 63052 ***