Re: [Mod-security-developers] 2.9.0-RC1 test results
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] 2.9.0-RC1 test results
|
From: Felipe C. <FC...@tr...> - 2014-12-04 18:16:31
|
Hi Walter, Thank you again to let as know. As this specific part of the code was not being updated for a while, that was my suspicion. By looking at the GDB output that you have provided, I identified the reason of the segfault. 2.9.0[-RC2|] will not segfault because of that. Anyhow, we still have a problem as we have understand what circumstances are leading us to that NULL pointer. I was not able to reproduce the problem, so I am sending to your email a GDB script that will avoid the crash in your server and take a snapshot of important pieces of the memory that may be useful to understand what is going on. This snapshot may contains sensitive information of your server, double check before send it back. It will be very helpful if you can test that in your server. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ From: Walter Hop [mo...@sp...] Sent: Thursday, December 04, 2014 3:01 PM To: mod...@li... Subject: Re: [Mod-security-developers] 2.9.0-RC1 test results An update about this crash. Last week, I got very similar repeated segfaults on three boxes running ModSecurity 2.7.7! Of course I don’t have debug builds running everywhere, but it seemed to be in the same function. Interestingly, more out of luck than anything else, two of these boxes were slated for upgrading to FreeBSD 10.1, and I noticed the segfaults completely went away on them for a week (knock on wood) while I was having them almost daily. So I am now thinking this is *not* a regression in 2.9.0. My working theory now is, either the interaction of some library update (pcre? libxml2?) with the FreeBSD 10.0 (clang?) runtime leads to memory corruption. 2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVPqKoj65g&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991> Got the same crash on a second test box today. I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVPqKoj65g&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991> This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes. I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them. Is there a way to enable asserts in the code so we can find out why/when node is unset? -- Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVO7K92tsg&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
