Re: httpd crashes when fetching a hidden file located on a CD

Mon, 07 Dec 2015 16:37:58 -0800 

On 2015/12/07 15:44, Theo de Raadt wrote:
> This bug report totally sucks.
> 
> Have you ever heard of ktrace, and if you have, why did you not try
> to reproduce it?
> 
> You want us to reproduce it?  Why?
> 
> > Hi,
> > I ran across an issue with httpd(8) on 5.8-RELEASE & -CURRENT (2/12/2015
> > snapshot) where fetching a .hidden file located on a CD through httpd
> > results in httpd crashing (no core file or error message logged).
> > 
> > To reproduce, mount CD in a location which is served by httpd. eg CentOS
> > minimal install iso[1] has a hidden file in the root called .treeinfo
> > 
> > Try to fetch http://myweb/.treeinfo
> > 
> > Of course this is not a common scenario found in production, I happened
> > to run into it whist taking a shortcut to save time & disk space by
> > mounting the CentOS iso on a virtualbox guest which was running OpenBSD.
> > 
> > 
> > Sevan
> > [1]
> > http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
> > 
> 

It's not that bad a report, it has everything necessary to reproduce,
tested on release and -current so it's obviously not pledge related.

There's one thing to add though, it looks like it happens for any file on
cd9660, not just dotfiles.

Here's ktrace, not that it seems particularly useful.

$ sudo kdump
 26600          EMUL  "native"
 26600 httpd    RET   kevent 1
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9460)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 
1970">.634312834 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getdtablecount()
 26600 httpd    RET   getdtablecount 7
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getrlimit(RLIMIT_NOFILE,0x7f7ffffd9260)
 26600 httpd    STRU  struct rlimit { cur=6000, max=6000 }
 26600 httpd    RET   getrlimit 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
accept4(3,0x7f7ffffd9330,0x7f7ffffd9444,0x4000<SOCK_NONBLOCK>)
 26600 httpd    STRU  struct sockaddr { AF_INET, 127.0.0.1:16821 }
 26600 httpd    RET   accept4 5
 26600 httpd    CALL  kbind(0x7f7ffffd9258,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getpid()
 26600 httpd    RET   getpid 26600/0x67e8
 26600 httpd    CALL  kbind(0x7f7ffffd9258,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getsockname(5,0xda798556020,0x7f7ffffd9444)
 26600 httpd    STRU  struct sockaddr { AF_INET, 127.0.0.1:8223 }
 26600 httpd    RET   getsockname 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd92f0)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 
1970">.634549181 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
getsockopt(5,SOL_SOCKET,SO_SNDBUF,0xda7985562d8,0x7f7ffffd92fc)
 26600 httpd    RET   getsockopt 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9158,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kevent(9,0xda79855d000,3,0xda7a840b000,64,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 600 }
 26600 httpd    RET   kevent 2
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9460)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 
1970">.634743483 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  ioctl(5,FIONREAD,0x7f7ffffd942c)
 26600 httpd    RET   ioctl 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015959617536/0xda82cf06000
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  read(5,0xda82cf06400,0x59)
 26600 httpd    GIO   fd 5 read 89 bytes
       "GET /z/.treeinfo HTTP/1.1\r
        Host: localhost:8223\r
        User-Agent: curl/7.45.0\r
        Accept: */*\r
        \r
       "
 26600 httpd    RET   read 89/0x59
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd93f0)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 
1970">.634802011 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15013927677952/0xda7b3d37000
 26600 httpd    CALL  kbind(0x7f7ffffd8d28,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8d68,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8928,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  access(0x7f7ffffd89f0,0x4<R_OK>)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    RET   access 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  stat(0x7f7ffffd89f0,0x7f7ffffd88c0)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    STRU  struct stat { dev=3586, ino=61240, mode=-rw-r--r-- , 
nlink=1, uid=0<"root">, gid=0<"wheel">, rdev=0, atime=1427843425<"Apr  1 
00:10:25 2015">, mtime=1427495808<"Mar 27 22:36:48 2015">, 
ctime=1427843425<"Apr  1 00:10:25 2015">, size=1109, blocks=2, blksize=2048, 
flags=0x0, gen=0x0 }
 26600 httpd    RET   stat 0
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  open(0x7f7ffffd89f0,0<O_RDONLY>)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    RET   open 6
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  gettimeofday(0x7f7ffffd8830,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 
2015">.091706 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  gettimeofday(0x7f7ffffd8610,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 
2015">.091712 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8558,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8548,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8498,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8428,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8628,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015584440320/0xda81693a000
 26600 httpd    CALL  
mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15011937607680/0xda73d356000
 26600 httpd    CALL  kbind(0x7f7ffffd86a8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  
mmap(0,0x5000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15013230739456/0xda78a490000
 26600 httpd    CALL  
mmap(0,0xb000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015425835008/0xda80d1f8000
 26600 httpd    CALL  issetugid()
 26600 httpd    RET   issetugid 0
 26600 httpd    CALL  open(0x7f7ffffd82a0,0<O_RDONLY>)
 26600 httpd    NAMI  "/usr/share/zoneinfo/GMT"
 26600 httpd    RET   open -1 errno 2 No such file or directory
 26600 httpd    CALL  issetugid()
 26600 httpd    RET   issetugid 0
 26600 httpd    CALL  open(0x7f7ffffd81f0,0<O_RDONLY>)
 26600 httpd    NAMI  "/usr/share/zoneinfo/posixrules"
 26600 httpd    RET   open -1 errno 2 No such file or directory
 26600 httpd    CALL  gettimeofday(0x7f7ffffd87b0,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 
2015">.091925 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  kbind(0x7f7ffffd86e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd86b8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd84c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd82e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93a8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9378,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  write(5,0xda79855b800,0xd3)
 26600 httpd    GIO   fd 5 wrote 211 bytes
       "HTTP/1.1 200 OK\r
        Connection: keep-alive\r
        Content-Length: 1109\r
        Content-Type: application/octet-stream\r
        Date: Tue, 08 Dec 2015 00:10:15 GMT\r
        Last-Modified: Fri, 27 Mar 2015 22:36:48 GMT\r
        Server: OpenBSD httpd\r
        \r
       "
 26600 httpd    RET   write 211/0xd3
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 
1970">.635312700 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kevent(9,0xda79855d000,7,0xda7a840b000,64,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 600 }
 26600 httpd    RET   kevent 1
 26600 httpd    CALL  kbind(0x7f7ffffd9368,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(3)
 26600 httpd    RET   close 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9378,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(6)
 26600 httpd    RET   close 0
 26600 httpd    CALL  close(5)
 26600 httpd    RET   close 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9448,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9418,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  nanosleep(0x7f7ffffd94e0,0)
 26600 httpd    STRU  struct timespec { 0.000200000 }
 26600 httpd    RET   nanosleep 0
 26600 httpd    CALL  kbind(0x7f7ffffd93f8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(4)
 26600 httpd    RET   close 0
 26600 httpd    CALL  close(7)
 26600 httpd    RET   close 0
 26600 httpd    CALL  getpid()
 26600 httpd    RET   getpid 26600/0x67e8
 26600 httpd    CALL  write(2,0x7f7ffffd8f00,0x1a)
 26600 httpd    GIO   fd 2 wrote 26 bytes
       "server exiting, pid 26600
       "
 26600 httpd    RET   write 26/0x1a
 26600 httpd    CALL  kbind(0x7f7ffffd9448,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    PSIG  SIGTERM caught handler=0xda7c17a33e0 mask=0<>
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  sigreturn(0x7f7ffffd8fa0)
 26600 httpd    RET   sigreturn JUSTRETURN
 26600 httpd    CALL  exit(0)

Reply via email to