On Thu, Nov 11, 2021 at 04:13:37PM +0100, Florian Obser wrote:
>
> No idea how to reproduce this, I'm just running an httpd with debug
> symbols and kern.nosuidcoredump=3
> Pretty sure this is the crash various people mumbled about.
>
> Smells like a use-after-fruit to me.
In server_http.c:351 desc->http_query is set to point in the middle of
a string. In the cases of goto fail belows that it will not be
strdupped. A free of desc->http_query then later bombs.
-Otto
>
> Core was generated by `httpd'.
> Program terminated with signal SIGABRT, Aborted.
> #0 thrkill () at /tmp/-:3
> 3 /tmp/-: No such file or directory.
> (gdb) bt
> #0 thrkill () at /tmp/-:3
> #1 0x000009d1979a211e in _libc_abort () at
> /usr/src/lib/libc/stdlib/abort.c:51
> #2 0x000009d19798a726 in wrterror (d=0x9d230d35980,
> msg=0x9d19795b05d "modified chunk-pointer %p")
> at /usr/src/lib/libc/stdlib/malloc.c:307
> #3 0x000009d19798e0cc in find_chunknum (d=0x0, info=<optimized out>, ptr=0x0,
> check=-236688) at /usr/src/lib/libc/stdlib/malloc.c:1063
> #4 0x000009d19798ac89 in ofree (argpool=0x7f7ffffc66b0, p=0x9d1884d6a07,
> clear=0, check=<optimized out>, argsz=0)
> at /usr/src/lib/libc/stdlib/malloc.c:1409
> #5 0x000009d19798a96b in free (ptr=0x9d1884d6a07)
> at /usr/src/lib/libc/stdlib/malloc.c:1470
> #6 0x000009cf5d137288 in server_httpdesc_free (desc=0x9d1ff641600)
> at /usr/src/usr.sbin/httpd/server_http.c:113
> #7 0x000009cf5d13c1a1 in server_close_http (clt=0x9d1ff645000)
> at /usr/src/usr.sbin/httpd/server_http.c:1088
> #8 0x000009cf5d133afc in server_close (clt=0x9d1ff645000,
> msg=0x9d1ff633380 "malformed (400 Bad Request)")
> at /usr/src/usr.sbin/httpd/server.c:1306
> #9 0x000009cf5d13890d in server_abort_http (clt=0x9d1ff645000, code=400,
> msg=0x9cf5d113dea "malformed")
> at /usr/src/usr.sbin/httpd/server_http.c:1077
> #10 0x000009cf5d137c13 in server_read_http (bev=0x9d1ff61b800,
> arg=0x9d1ff645000) at /usr/src/usr.sbin/httpd/server_http.c:366
> --Type <RET> for more, q to quit, c to continue without paging--
> #11 0x000009d1f3766f29 in bufferevent_readcb (fd=<optimized out>,
> event=<optimized out>, arg=0x9d1ff61b800)
> at /usr/src/lib/libevent/evbuffer.c:140
> #12 0x000009d1f3765b9f in event_process_active (base=0x9d1884c5c00)
> at /usr/src/lib/libevent/event.c:333
> #13 event_base_loop (base=0x9d1884c5c00, flags=0)
> at /usr/src/lib/libevent/event.c:483
> #14 0x000009cf5d131a11 in proc_run (ps=0x9d1884cc800, p=0x9cf5d148a70 <procs>,
> procs=0x9cf5d148b90 <procs>, nproc=2, run=0x9cf5d132100 <server_init>,
> arg=0x0) at /usr/src/usr.sbin/httpd/proc.c:604
> #15 0x000009cf5d1320d2 in server (ps=0x9d1884cc800, p=0x9cf5d148a70 <procs>)
> at /usr/src/usr.sbin/httpd/server.c:87
> #16 0x000009cf5d1303c5 in proc_init (ps=0x9d1884cc800,
> procs=0x9cf5d148a70 <procs>, nproc=2, debug=0, argc=5,
> argv=0x7f7ffffd6de8, proc_id=PROC_SERVER)
> at /usr/src/usr.sbin/httpd/proc.c:260
> #17 0x000009cf5d1276f1 in main (argc=0, argv=0x7f7ffffd6de8)
> at /usr/src/usr.sbin/httpd/httpd.c:220
>
> --
> I'm not entirely sure you are real.
>
