Re: [Mod-security-developers] segfaults on JSON request body processor
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] segfaults on JSON request body processor
|
From: Bruno S. <br...@sa...> - 2014-02-13 11:07:36
|
Hi Felipe,
Thanks for the instructions.
Here's the output of 'bt full', hope it helps.
Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
213 movlpd (%rdi), %xmm1
Missing separate debuginfos, use: debuginfo-install
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 db4-4.7.25-18.el6_4.x86_64
expat-2.0.1-11.el6_2.x86_64 keyutils-libs-1.4-4.el6.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64 libcom_err-1.41.12-18.el6.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64 libuuid-2.17.2-12.14.el6.x86_64
libxml2-2.7.6-14.el6.x86_64 lua-5.1.4-4.1.el6.x86_64
nspr-4.10.2-1.el6_5.x86_64 nss-3.15.3-3.el6_5.x86_64
nss-softokn-freebl-3.14.3-9.el6.x86_64 nss-util-3.15.3-1.el6_5.x86_64
openldap-2.4.23-32.el6_4.1.x86_64 openssl-1.0.1e-16.el6_5.4.x86_64
pcre-7.8-6.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb)
(gdb) bt full
#0 __strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
No locals.
#1 0x00007ffff2b81f7c in sec_audit_logger (msr=0x7ffff8d1da80) at
msc_logging.c:699
arg = 0x7ffff8d47fa8
sorted_args = 0x7ffff8d5ba68
nextarg = 0x0
tarr = 0x7ffff8d39640
telts = 0x7ffff8d39768
offset = 0
last_offset = 0
sanitize = 0
my_error_msg = 0x0
arr = 0x7ffff8d48250
te = 0x7ffff8d48378
tarr_pattern = 0x7ffff8d33b68
telts_pattern = 0x7ffff8d33c90
str1 = 0x0
str2 = 0x0
text = 0x7ffff8d5ba50 "Content-Length: 133\n"
rule = 0x0
next_rule = 0x0
nbytes = 0
nbytes_written = 140737368015808
md5hash =
"\000\000\000\000\000\000\000\000\330\301\323\370\377\177\000"
was_limited = 0
present = 0
wrote_response_body = 0
entry_filename = 0xf8d3ba88 <Address 0xf8d3ba88 out of bounds>
entry_basename = 0x7fffffffdc90 "h\272\325\370\377\177"
rc = 0
i = 0
limit = -132113904
k = 32767
sanitized_partial = 0
j = 32767
buf = 0x0
pat = 0x0
mparm = 0x0
arg_min = 32767
arg_max = -120464768
sanitize_matched = 0
#2 0x00007ffff2b79225 in modsecurity_process_phase_logging
(msr=0x7ffff8d1da80) at modsecurity.c:695
time_before = 1392288967111028
time_after = 1392288967111070
#3 0x00007ffff2b794b5 in modsecurity_process_phase (msr=0x7ffff8d1da80,
phase=5) at modsecurity.c:801
No locals.
#4 0x00007ffff2b77190 in hook_log_transaction (r=0x7ffff8d1c1f8) at
mod_security2.c:1217
arr = 0x7ffff8d5e0a0
origr = 0x7ffff8d1c1f8
---Type <return> to continue, or q <return> to quit---
msr = 0x7ffff8d1da80
#5 0x00007ffff7fc8600 in ap_run_log_transaction (r=0x7ffff8d1c1f8) at
/usr/src/debug/httpd-2.2.15/server/protocol.c:1705
pHook = <value optimized out>
n = <value optimized out>
rv = <value optimized out>
#6 0x00007ffff7fe5a7f in ap_process_request (r=0x7ffff8d1c1f8) at
/usr/src/debug/httpd-2.2.15/modules/http/http_request.c:308
access_status = <value optimized out>
#7 0x00007ffff7fe29a8 in ap_process_http_connection (c=0x7ffff8cadcf8) at
/usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
r = 0x7ffff8d1c1f8
csd = 0x0
#8 0x00007ffff7fde6b8 in ap_run_process_connection (c=0x7ffff8cadcf8) at
/usr/src/debug/httpd-2.2.15/server/connection.c:43
pHook = <value optimized out>
n = <value optimized out>
rv = <value optimized out>
#9 0x00007ffff7fea977 in child_main (child_num_arg=<value optimized out>)
at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
current_conn = <value optimized out>
csd = 0x7ffff8cadb08
ptrans = 0x7ffff8cada88
allocator = 0x7ffff8cab980
status = <value optimized out>
i = <value optimized out>
lr = <value optimized out>
pollset = 0x7ffff8cabc20
sbh = 0x7ffff8cabc18
bucket_alloc = 0x7ffff8d14148
last_poll_idx = 1
#10 0x00007ffff7feac46 in make_child (s=0x7ffff8212880, slot=0) at
/usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:707
pid = <value optimized out>
#11 0x00007ffff7feb293 in ap_mpm_run (_pconf=<value optimized out>,
plog=<value optimized out>, s=<value optimized out>) at
/usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:983
index = <value optimized out>
remaining_children_to_start = <value optimized out>
rv = <value optimized out>
#12 0x00007ffff7fc2900 in main (argc=4, argv=0x7fffffffe338) at
/usr/src/debug/httpd-2.2.15/server/main.c:760
c = 102 'f'
configtestonly = <value optimized out>
confname = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
def_server_root = 0x7ffff7fed1f3 "/etc/httpd"
temp_error_log = 0x0
error = <value optimized out>
process = 0x7ffff8212880
server_conf = 0x7ffff8212880
pglobal = 0x7ffff8209148
pconf = 0x7ffff820b158
plog = 0x7ffff823d2e8
ptemp = 0x7ffff820f178
pcommands = 0x7ffff820d168
opt = 0x7ffff820d260
rv = <value optimized out>
mod = <value optimized out>
---Type <return> to continue, or q <return> to quit---
optarg = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
signal_server = <value optimized out>
On 13 February 2014 03:25, Felipe Costa <FC...@tr...> wrote:
> Hi Bruno,
>
> Thank you for the report.
>
> Do you mind to generate more information using GDB?
>
> I've just create a guide on how to use GDB to help in the bug reporting
> process, it is available under our wiki:
> https://github.com/SpiderLabs/ModSecurity/wiki/Debugging-ModSecurity
>
> Thanks,
> *Felipe "Zimmerle" Costa*
> Security Researcher, SpiderLabs
>
> *Trustwave* | SMART SECURITY ON DEMAND
> www.trustwave.com
>
> On Feb 12, 2014, at 9:23 AM, Bruno Savioli de Almeida <br...@sa...>
> wrote:
>
> Hi,
>
> I'm testing the JSON patches from the json_top_of_2_7_7 branch and I'm
> getting what appears to be random segfaults. I say random because I haven't
> managed to identify any patterns on the type of requests that segfaults.
>
> Test environment:
> Centos 6.5 x86_64
> httpd-2.2.15-29.el6.centos.x86_64
> mod_security compiled with yajl-2.0.5
>
>
> I'm running mod_security in DETECTION_ONLY mode, with the owasp crs and
> JSON requestBodyProcessor enabled
>
> When the request segfaults, the audit log only records parts A and B:
>
> To avoid making this email too long, logs are here:
> http://pastebin.com/MnehgvJw
>
> Let me know if I can help with any more information.
>
>
> Thanks,
>
>
> --
> - Bruno
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
--
- Bruno
|
