Re: Segfault with fix for CVE-2009-1891

Tue, 28 Jul 2009 14:24:34 -0700 


On 07/28/2009 07:35 PM, Stefan Fritsch wrote:
> Hi,
> 
> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
> report [1] about segfaults with mod_deflate and mod_php (5.2.0). As
> far as I understand it, the reason is that mod_php uses ap_rwrite
> which creates transient buckets. When the connection is closed by the
> client, these buckets sometimes stay in the bucket brigade when
> ap_pass_brigade returns an error for the compressed data of an
> earlier bucket. If deflate_out_filter gets called again with the same
> brigade, the memory of the transient buckets is no longer valid,
> causing a segfault.

IMHO the mod_deflate filter shouldn't be called with the same brigade
again or at least the brigade should have been set aside in this case.
So that should never happen.

> 
> This patch seems to fix the issue:
> 
> --- apache2-2.2.3~/modules/filters/mod_deflate.c
> +++ apache2-2.2.3/modules/filters/mod_deflate.c
> @@ -512,6 +512,7 @@
>              APR_BRIGADE_INSERT_TAIL(ctx->bb, bkt);
>              rv = ap_pass_brigade(f->next, ctx->bb);
>              if (rv != APR_SUCCESS) {
> +                apr_brigade_cleanup(bb);
>                  return rv;
>              }
>              continue;
> @@ -543,6 +544,7 @@
>                  /* Send what we have right now to the next filter. */
>                  rv = ap_pass_brigade(f->next, ctx->bb);
>                  if (rv != APR_SUCCESS) {
> +                    apr_brigade_cleanup(bb);
>                      return rv;
>                  }
>              }
> 
> 
> I could not reproduce the segfault with Debian 5.0, containing Apache
> 2.2.9 and php 5.2.8. The same for Debian unstable with 2.2.12 and php
> 5.2.10. Therefore, I also tried to take the whole mod_deflate.c from
> 2.2.9 into 2.2.3, but it did not fix the segfaults [2].
> 
> Is there some change from 2.2.3 to 2.2.9 (which cannot be in
> mod_deflate.c) that fixes the issue? Or is it just coincidence that
> 2.2.9 and 2.2.12 do not segfault and should the above patch be
> included in the next 2.2.x?

I don't know. Maybe at setaside is now done somewhere were it didn't
happen before. I guess the best approach is to add the above patch to
your backport and dig further.

Nevertheless a backtrace of the segfault would help in any case to understand
better what is going on and why it might not happen on more recent versions.

Regards

RĂ¼diger

Reply via email to