Hi, One of my hosted managed to crash apache childs with a script running through suPHP. Note the script is not meant to be executed as CGI, this is a regular script inside an abandoned directory index which is running by mistake by web crawlers because the httpd runs .sh scripts as CGI by default.
This is fully reproductible and I can give the script which makes it
crash to anyone wanting to look deeper into this issue, there is nothing
important in this script but I am not sure if disclosing the script here
now is a very good idea.
The latest apache2 error log line is:
[Sun Aug 19 15:05:18 2012] [error] [client 127.0.0.1] malformed header from
script. Bad header=#: hidden-script-name.sh
Which makes sense, because this is not a CGI script, note the script is
still running perfectly after apache child crashed.
It looks like suPHP is trying to free() an uninitialised pointer, here
is the tracedump:
(gdb) run -f /usr/local/apache2/conf/httpd.conf -X
Starting program: /usr/local/apache2/bin/httpd -f
/usr/local/apache2/conf/httpd.conf -X
[Thread debugging using libthread_db enabled]
httpd: apr_sockaddr_info_get() failed for ornithopter
httpd: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
Program received signal SIGSEGV, Segmentation fault.
0xf7f95ad5 in apr_bucket_free () from /usr/lib/libaprutil-1.so.0
(gdb) bt full
#0 0xf7f95ad5 in apr_bucket_free () from /usr/lib/libaprutil-1.so.0
No symbol table info available.
#1 0xf7fdba6d in suphp_read_fd (b=0xffeaddb8, str=0xffffb15c, len=0xffffb158,
block=APR_BLOCK_READ) at mod_suphp.c:458
No locals.
#2 suphp_bucket_read (b=0xffeaddb8, str=0xffffb15c, len=0xffffb158,
block=APR_BLOCK_READ) at mod_suphp.c:493
results = 0x81a66e0
num = 1
data = 0x81a6678
timeout = 300000000
rv = 14
gotdata = 0
#3 0xf7fda5ab in suphp_discard_output (bb=<value optimized out>) at
mod_suphp.c:533
b = 0xffeaddb8
buf = 0x0
len = 0
rv = <value optimized out>
#4 0xf7fdb6a4 in suphp_script_handler (r=<value optimized out>) at
mod_suphp.c:1049
ret = <value optimized out>
location = <value optimized out>
p = 0x819db80
sconf = 0x81a6608
dconf = 0x81a65e8
finfo = {pool = 0x819db80, valid = 7598960, protection = 1365, filetype
= APR_REG, user = 15718, group = 18078, inode = 11499806, device = 64768, nlink
= 1, size = 56888, csize = 57344, atime = 1345387388760185, mtime =
1190240767000000, ctime = 1345388715883782,
fname = 0x819f940 "/hidden/script/name", name = 0x8146b7b
"lication/x-httpd-bash", filehand = 0x1}
procattr = 0x81a6320
argv = 0xffffd244
env = 0x81a6608
rv = 500
strbuf = "#\000atus\000 500\000\000
text/html\000\067+squeeze14\000ÂÏ\n\bxk\024\b<÷\f\b\000\000\000\000\001\200û\033³ÿÿ\033³ÿÿ\033³ÿÿ\033³ÿÿ2³ÿÿÿÿÿÿ\033³ÿÿÿÿÿÿ",
'\000' <repeats 48 times>,
"\206§½÷\020Øø÷\000\000\000\000ÿÿÿÿôÏÿ÷ÿÿÿÿ\001\000\000\000Ȳÿÿféþ÷pÉ\024\bØË\024\b\001\000\000\000лÿÿ\000\002\000\000\035\000\000\000\000\000\000\000\035\000\000\000\220°ÿÿ\000\000\000\000\000\004\000\000\000\000\000\000p°ÿÿлÿÿû\002Î\003\003\000\000\000ôO"...
tmpbuf = <value optimized out>
auth_user = <value optimized out>
auth_pass = <value optimized out>
ud_user = 0x0
ud_group = 0x0
bb = 0x81a6608
b = <value optimized out>
#5 0xf7fdbe00 in suphp_handler (r=0x819dbc0) at mod_suphp.c:569
dconf = 0x819f488
#6 0x0807ff6b in ap_run_handler ()
No symbol table info available.
#7 0x08080696 in ap_invoke_handler ()
No symbol table info available.
#8 0x0809e032 in ap_process_request ()
No symbol table info available.
#9 0x0809b0ad in ap_process_http_connection ()
No symbol table info available.
#10 0x08088037 in ap_run_process_connection ()
No symbol table info available.
#11 0x0808844b in ap_process_connection ()
No symbol table info available.
#12 0x080b62af in child_main ()
No symbol table info available.
#13 0x080b639d in make_child ()
No symbol table info available.
#14 0x080b6938 in ap_mpm_run ()
No symbol table info available.
#15 0x08069f40 in main ()
No symbol table info available.
(gdb)
Best regards,
Sylvain
signature.asc
Description: Digital signature
_______________________________________________ suPHP mailing list [email protected] https://lists.marsching.com/mailman/listinfo/suphp
