Re: [Mod-security-developers] segfaults on JSON request body processor

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Felipe,

Apologies for the delay, I was on away for a while.

I'm currently testing 2.8.0 and most of the JSON stuff seems to be working
ok. Found one minor issue with sanitiseArgs that I'll post on a new email.

Thanks for your help.

Bruno

On 20 March 2014 18:25, Felipe Costa <FC...@tr...> wrote:

>  Hi Bruno,
>
>  Thanks for the detailed debugging information. I have just made some
> modifications on the code in order to fix the problem. The branch
> json_top_of_2_7_7 no longer exists, I would like to ask you to test the
> branch json instead:
>
>  https://github.com/SpiderLabs/ModSecurity/tree/json
>
>  This new branch does not only contains this specific bugfix but it is
> up-to-date with our master branch.
>
>  Thanks,
>   *Felipe "Zimmerle" Costa*
>  Security Researcher, SpiderLabs
>
>  *Trustwave* | SMART SECURITY ON DEMAND
>  www.trustwave.com
>
>
>  On Feb 13, 2014, at 8:07 AM, Bruno Savioli <br...@sa...> wrote:
>
>  Hi Felipe,
>
>  Thanks for the instructions.
>
>  Here's the output of 'bt full', hope it helps.
>
>
>  Program received signal SIGSEGV, Segmentation fault.
> __strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
> 213 movlpd (%rdi), %xmm1
> Missing separate debuginfos, use: debuginfo-install
> cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 db4-4.7.25-18.el6_4.x86_64
> expat-2.0.1-11.el6_2.x86_64 keyutils-libs-1.4-4.el6.x86_64
> krb5-libs-1.10.3-10.el6_4.6.x86_64 libcom_err-1.41.12-18.el6.x86_64
> libselinux-2.0.94-5.3.el6_4.1.x86_64 libuuid-2.17.2-12.14.el6.x86_64
> libxml2-2.7.6-14.el6.x86_64 lua-5.1.4-4.1.el6.x86_64
> nspr-4.10.2-1.el6_5.x86_64 nss-3.15.3-3.el6_5.x86_64
> nss-softokn-freebl-3.14.3-9.el6.x86_64 nss-util-3.15.3-1.el6_5.x86_64
> openldap-2.4.23-32.el6_4.1.x86_64 openssl-1.0.1e-16.el6_5.4.x86_64
> pcre-7.8-6.el6.x86_64 zlib-1.2.3-29.el6.x86_64
> (gdb)
> (gdb) bt full
> #0  __strcmp_sse2 () at ../sysdeps/x86_64/strcmp.S:213
> No locals.
> #1  0x00007ffff2b81f7c in sec_audit_logger (msr=0x7ffff8d1da80) at
> msc_logging.c:699
>         arg = 0x7ffff8d47fa8
>         sorted_args = 0x7ffff8d5ba68
>         nextarg = 0x0
>         tarr = 0x7ffff8d39640
>         telts = 0x7ffff8d39768
>         offset = 0
>         last_offset = 0
>         sanitize = 0
>         my_error_msg = 0x0
>         arr = 0x7ffff8d48250
>         te = 0x7ffff8d48378
>         tarr_pattern = 0x7ffff8d33b68
>         telts_pattern = 0x7ffff8d33c90
>         str1 = 0x0
>         str2 = 0x0
>         text = 0x7ffff8d5ba50 "Content-Length: 133\n"
>         rule = 0x0
>         next_rule = 0x0
>         nbytes = 0
>         nbytes_written = 140737368015808
>         md5hash =
> "\000\000\000\000\000\000\000\000\330\301\323\370\377\177\000"
>         was_limited = 0
>         present = 0
>         wrote_response_body = 0
>         entry_filename = 0xf8d3ba88 <Address 0xf8d3ba88 out of bounds>
>         entry_basename = 0x7fffffffdc90 "h\272\325\370\377\177"
>         rc = 0
>         i = 0
>         limit = -132113904
>         k = 32767
>         sanitized_partial = 0
>         j = 32767
>         buf = 0x0
>         pat = 0x0
>         mparm = 0x0
>         arg_min = 32767
>         arg_max = -120464768
>         sanitize_matched = 0
> #2  0x00007ffff2b79225 in modsecurity_process_phase_logging
> (msr=0x7ffff8d1da80) at modsecurity.c:695
>         time_before = 1392288967111028
>         time_after = 1392288967111070
> #3  0x00007ffff2b794b5 in modsecurity_process_phase (msr=0x7ffff8d1da80,
> phase=5) at modsecurity.c:801
> No locals.
> #4  0x00007ffff2b77190 in hook_log_transaction (r=0x7ffff8d1c1f8) at
> mod_security2.c:1217
>         arr = 0x7ffff8d5e0a0
>         origr = 0x7ffff8d1c1f8
> ---Type <return> to continue, or q <return> to quit---
>         msr = 0x7ffff8d1da80
> #5  0x00007ffff7fc8600 in ap_run_log_transaction (r=0x7ffff8d1c1f8) at
> /usr/src/debug/httpd-2.2.15/server/protocol.c:1705
>         pHook = <value optimized out>
>         n = <value optimized out>
>         rv = <value optimized out>
> #6  0x00007ffff7fe5a7f in ap_process_request (r=0x7ffff8d1c1f8) at
> /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:308
>         access_status = <value optimized out>
> #7  0x00007ffff7fe29a8 in ap_process_http_connection (c=0x7ffff8cadcf8) at
> /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
>         r = 0x7ffff8d1c1f8
>         csd = 0x0
> #8  0x00007ffff7fde6b8 in ap_run_process_connection (c=0x7ffff8cadcf8) at
> /usr/src/debug/httpd-2.2.15/server/connection.c:43
>         pHook = <value optimized out>
>         n = <value optimized out>
>         rv = <value optimized out>
> #9  0x00007ffff7fea977 in child_main (child_num_arg=<value optimized out>)
> at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
>         current_conn = <value optimized out>
>         csd = 0x7ffff8cadb08
>         ptrans = 0x7ffff8cada88
>         allocator = 0x7ffff8cab980
>         status = <value optimized out>
>         i = <value optimized out>
>         lr = <value optimized out>
>         pollset = 0x7ffff8cabc20
>         sbh = 0x7ffff8cabc18
>         bucket_alloc = 0x7ffff8d14148
>         last_poll_idx = 1
> #10 0x00007ffff7feac46 in make_child (s=0x7ffff8212880, slot=0) at
> /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:707
>         pid = <value optimized out>
> #11 0x00007ffff7feb293 in ap_mpm_run (_pconf=<value optimized out>,
> plog=<value optimized out>, s=<value optimized out>) at
> /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:983
>         index = <value optimized out>
>         remaining_children_to_start = <value optimized out>
>         rv = <value optimized out>
> #12 0x00007ffff7fc2900 in main (argc=4, argv=0x7fffffffe338) at
> /usr/src/debug/httpd-2.2.15/server/main.c:760
>         c = 102 'f'
>         configtestonly = <value optimized out>
>         confname = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
>         def_server_root = 0x7ffff7fed1f3 "/etc/httpd"
>         temp_error_log = 0x0
>         error = <value optimized out>
>         process = 0x7ffff8212880
>         server_conf = 0x7ffff8212880
>         pglobal = 0x7ffff8209148
>         pconf = 0x7ffff820b158
>         plog = 0x7ffff823d2e8
>         ptemp = 0x7ffff820f178
>         pcommands = 0x7ffff820d168
>         opt = 0x7ffff820d260
>         rv = <value optimized out>
>         mod = <value optimized out>
> ---Type <return> to continue, or q <return> to quit---
>         optarg = 0x7fffffffe5c2 "/etc/httpd/conf/httpd.conf"
>         signal_server = <value optimized out>
>
>
>
>
>
>
>
>
>
> On 13 February 2014 03:25, Felipe Costa <FC...@tr...> wrote:
>
>>  Hi Bruno,
>>
>>  Thank you for the report.
>>
>>  Do you mind to generate more information using GDB?
>>
>>  I've just create a guide on how to use GDB to help in the bug reporting
>> process, it is available under our wiki:
>> https://github.com/SpiderLabs/ModSecurity/wiki/Debugging-ModSecurity
>>
>>  Thanks,
>>  *Felipe "Zimmerle" Costa*
>>  Security Researcher, SpiderLabs
>>
>>  *Trustwave* | SMART SECURITY ON DEMAND
>>  www.trustwave.com
>>
>>    On Feb 12, 2014, at 9:23 AM, Bruno Savioli de Almeida <
>> br...@sa...> wrote:
>>
>>    Hi,
>>
>>  I'm testing the JSON patches from the json_top_of_2_7_7 branch and I'm
>> getting what appears to be random segfaults. I say random because I haven't
>> managed to identify any patterns on the type of requests that segfaults.
>>
>>  Test environment:
>> Centos 6.5 x86_64
>> httpd-2.2.15-29.el6.centos.x86_64
>> mod_security compiled with yajl-2.0.5
>>
>>
>>  I'm running mod_security in DETECTION_ONLY mode, with the owasp crs and
>> JSON requestBodyProcessor enabled
>>
>>  When the request segfaults, the audit log only records parts A and B:
>>
>>  To avoid making this email too long, logs are here:
>> http://pastebin.com/MnehgvJw
>>
>>  Let me know if I can help with any more information.
>>
>>
>>  Thanks,
>>
>>
>>  --
>> - Bruno
>>  ------------------------------------------------------------------------------
>> Android apps run on BlackBerry 10
>> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
>> Now with support for Jelly Bean, Bluetooth, Mapview and more.
>> Get your Android app in front of a whole new audience.  Start now.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>>
>>
>> ------------------------------
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is strictly prohibited. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>>
>> ------------------------------------------------------------------------------
>> Android apps run on BlackBerry 10
>> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
>> Now with support for Jelly Bean, Bluetooth, Mapview and more.
>> Get your Android app in front of a whole new audience.  Start now.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
>  --
> - Bruno
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>

-- 
- Bruno