httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Fritsch" ...@sfritsch.de>
Subject Re: Segfault with fix for CVE-2009-1891
Date Wed, 29 Jul 2009 11:52:28 GMT
Ruediger Pluem wrote:
>> far as I understand it, the reason is that mod_php uses ap_rwrite
>> which creates transient buckets. When the connection is closed by the
>> client, these buckets sometimes stay in the bucket brigade when
>> ap_pass_brigade returns an error for the compressed data of an
>> earlier bucket. If deflate_out_filter gets called again with the same
>> brigade, the memory of the transient buckets is no longer valid,
>> causing a segfault.
>
> IMHO the mod_deflate filter shouldn't be called with the same brigade
> again or at least the brigade should have been set aside in this case.
> So that should never happen.

I was not really able to figure out, how or why this happens. What I
actually see is that the brigade in mod_deflate contains one heap bucket
and one transient bucket where the latter points to invalid memory.
Therefore I assumed the bucket was around from the last call to
buffer_output. But php does strange things (which I don't understand)
involving longjmp to handle errors, maybe that's got something to do with
it.

> I don't know. Maybe at setaside is now done somewhere were it didn't
> happen before. I guess the best approach is to add the above patch to
> your backport and dig further.
>
> Nevertheless a backtrace of the segfault would help in any case to
> understand
> better what is going on and why it might not happen on more recent
> versions.

A backtrace is available in the bug report, but it does not reveal much:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537665#30



Mime
View raw message