Hi Felipe,

Apologies for the delay, I was on away for a while.

I'm currently testing 2.8.0 and most of the JSON stuff seems to be working ok. Found one minor issue with sanitiseArgs that I'll post on a new email.

Thanks for your help.

Bruno


On 20 March 2014 18:25, Felipe Costa <FCosta@trustwave.com> wrote:
Hi Bruno,

Thanks for the detailed debugging information. I have just made some modifications on the code in order to fix the problem. The branch json_top_of_2_7_7 no longer exists, I would like to ask you to test the branch json instead:


This new branch does not only contains this specific bugfix but it is up-to-date with our master branch.

Thanks,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND


On Feb 13, 2014, at 8:07 AM, Bruno Savioli <bruno@savioli.org> wrote:

Hi Felipe, 

Thanks for the instructions.

Here's the output of 'bt full', hope it helps.


Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
213 movlpd (%rdi), %xmm1
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 db4-4.7.25-18.el6_4.x86_64 expat-2.0.1-11.el6_2.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6_4.6.x86_64 libcom_err-1.41.12-18.el6.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 libuuid-2.17.2-12.14.el6.x86_64 libxml2-2.7.6-14.el6.x86_64 lua-5.1.4-4.1.el6.x86_64 nspr-4.10.2-1.el6_5.x86_64 nss-3.15.3-3.el6_5.x86_64 nss-softokn-freebl-3.14.3-9.el6.x86_64 nss-util-3.15.3-1.el6_5.x86_64 openldap-2.4.23-32.el6_4.1.x86_64 openssl-1.0.1e-16.el6_5.4.x86_64 pcre-7.8-6.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) 
(gdb) bt full
#0  __strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
No locals.
#1  0x00007ffff2b81f7c in sec_audit_logger (msr=0x7ffff8d1da80) at msc_logging.c:699
        arg = 0x7ffff8d47fa8
        sorted_args = 0x7ffff8d5ba68
        nextarg = 0x0
        tarr = 0x7ffff8d39640
        telts = 0x7ffff8d39768
        offset = 0
        last_offset = 0
        sanitize = 0
        my_error_msg = 0x0
        arr = 0x7ffff8d48250
        te = 0x7ffff8d48378
        tarr_pattern = 0x7ffff8d33b68
        telts_pattern = 0x7ffff8d33c90
        str1 = 0x0
        str2 = 0x0
        text = 0x7ffff8d5ba50 "Content-Length: 133\n"
        rule = 0x0
        next_rule = 0x0
        nbytes = 0
        nbytes_written = 140737368015808
        md5hash = "\000\000\000\000\000\000\000\000\330\301\323\370\377\177\000"
        was_limited = 0
        present = 0
        wrote_response_body = 0
        entry_filename = 0xf8d3ba88 <Address 0xf8d3ba88 out of bounds>
        entry_basename = 0x7fffffffdc90 "h\272\325\370\377\177"
        rc = 0
        i = 0
        limit = -132113904
        k = 32767
        sanitized_partial = 0
        j = 32767
        buf = 0x0
        pat = 0x0
        mparm = 0x0
        arg_min = 32767
        arg_max = -120464768
        sanitize_matched = 0
#2  0x00007ffff2b79225 in modsecurity_process_phase_logging (msr=0x7ffff8d1da80) at modsecurity.c:695
        time_before = 1392288967111028
        time_after = 1392288967111070
#3  0x00007ffff2b794b5 in modsecurity_process_phase (msr=0x7ffff8d1da80, phase=5) at modsecurity.c:801
No locals.
#4  0x00007ffff2b77190 in hook_log_transaction (r=0x7ffff8d1c1f8) at mod_security2.c:1217
        arr = 0x7ffff8d5e0a0
        origr = 0x7ffff8d1c1f8
---Type <return> to continue, or q <return> to quit---
        msr = 0x7ffff8d1da80
#5  0x00007ffff7fc8600 in ap_run_log_transaction (r=0x7ffff8d1c1f8) at /usr/src/debug/httpd-2.2.15/server/protocol.c:1705
        pHook = <value optimized out>
        n = <value optimized out>
        rv = <value optimized out>
#6  0x00007ffff7fe5a7f in ap_process_request (r=0x7ffff8d1c1f8) at /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:308
        access_status = <value optimized out>
#7  0x00007ffff7fe29a8 in ap_process_http_connection (c=0x7ffff8cadcf8) at /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
        r = 0x7ffff8d1c1f8
        csd = 0x0
#8  0x00007ffff7fde6b8 in ap_run_process_connection (c=0x7ffff8cadcf8) at /usr/src/debug/httpd-2.2.15/server/connection.c:43
        pHook = <value optimized out>
        n = <value optimized out>
        rv = <value optimized out>
#9  0x00007ffff7fea977 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
        current_conn = <value optimized out>
        csd = 0x7ffff8cadb08
        ptrans = 0x7ffff8cada88
        allocator = 0x7ffff8cab980
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = 0x7ffff8cabc20
        sbh = 0x7ffff8cabc18
        bucket_alloc = 0x7ffff8d14148
        last_poll_idx = 1
#10 0x00007ffff7feac46 in make_child (s=0x7ffff8212880, slot=0) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:707
        pid = <value optimized out>
#11 0x00007ffff7feb293 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:983
        index = <value optimized out>
        remaining_children_to_start = <value optimized out>
        rv = <value optimized out>
#12 0x00007ffff7fc2900 in main (argc=4, argv=0x7fffffffe338) at /usr/src/debug/httpd-2.2.15/server/main.c:760
        c = 102 'f'
        configtestonly = <value optimized out>
        confname = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
        def_server_root = 0x7ffff7fed1f3 "/etc/httpd"
        temp_error_log = 0x0
        error = <value optimized out>
        process = 0x7ffff8212880
        server_conf = 0x7ffff8212880
        pglobal = 0x7ffff8209148
        pconf = 0x7ffff820b158
        plog = 0x7ffff823d2e8
        ptemp = 0x7ffff820f178
        pcommands = 0x7ffff820d168
        opt = 0x7ffff820d260
        rv = <value optimized out>
        mod = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        optarg = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
        signal_server = <value optimized out>









On 13 February 2014 03:25, Felipe Costa <FCosta@trustwave.com> wrote:
Hi Bruno,

Thank you for the report.

Do you mind to generate more information using GDB?

I've just create a guide on how to use GDB to help in the bug reporting process, it is available under our wiki:

Thanks,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND

On Feb 12, 2014, at 9:23 AM, Bruno Savioli de Almeida <bruno@savioli.org> wrote:

Hi,

I'm testing the JSON patches from the json_top_of_2_7_7 branch and I'm getting what appears to be random segfaults. I say random because I haven't managed to identify any patterns on the type of requests that segfaults.

Test environment:
Centos 6.5 x86_64
httpd-2.2.15-29.el6.centos.x86_64
mod_security compiled with yajl-2.0.5


I'm running mod_security in DETECTION_ONLY mode, with the owasp crs and JSON requestBodyProcessor enabled

When the request segfaults, the audit log only records parts A and B:

To avoid making this email too long, logs are here: http://pastebin.com/MnehgvJw

Let me know if I can help with any more information.


Thanks,


--
- Bruno
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php



--
- Bruno
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



--
- Bruno