Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 18555 invoked from network); 28 Jul 2009 21:24:33 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 28 Jul 2009 21:24:33 -0000 Received: (qmail 8330 invoked by uid 500); 28 Jul 2009 21:24:32 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 8247 invoked by uid 500); 28 Jul 2009 21:24:32 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 8238 invoked by uid 99); 28 Jul 2009 21:24:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jul 2009 21:24:32 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 28 Jul 2009 21:24:29 +0000 Received: (qmail 18282 invoked by uid 2161); 28 Jul 2009 21:24:01 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 74FDB1721C for ; Tue, 28 Jul 2009 23:23:51 +0200 (CEST) Message-ID: <4A6F6C73.2040407@apache.org> Date: Tue, 28 Jul 2009 23:24:03 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Segfault with fix for CVE-2009-1891 References: <46300.194.224.98.149.1248802525.squirrel@www.sfritsch.de> In-Reply-To: <46300.194.224.98.149.1248802525.squirrel@www.sfritsch.de> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 07/28/2009 07:35 PM, Stefan Fritsch wrote: > Hi, > > I have backported r791454 to 2.2.3 in Debian 4.0 and have received a > report [1] about segfaults with mod_deflate and mod_php (5.2.0). As > far as I understand it, the reason is that mod_php uses ap_rwrite > which creates transient buckets. When the connection is closed by the > client, these buckets sometimes stay in the bucket brigade when > ap_pass_brigade returns an error for the compressed data of an > earlier bucket. If deflate_out_filter gets called again with the same > brigade, the memory of the transient buckets is no longer valid, > causing a segfault. IMHO the mod_deflate filter shouldn't be called with the same brigade again or at least the brigade should have been set aside in this case. So that should never happen. > > This patch seems to fix the issue: > > --- apache2-2.2.3~/modules/filters/mod_deflate.c > +++ apache2-2.2.3/modules/filters/mod_deflate.c > @@ -512,6 +512,7 @@ > APR_BRIGADE_INSERT_TAIL(ctx->bb, bkt); > rv = ap_pass_brigade(f->next, ctx->bb); > if (rv != APR_SUCCESS) { > + apr_brigade_cleanup(bb); > return rv; > } > continue; > @@ -543,6 +544,7 @@ > /* Send what we have right now to the next filter. */ > rv = ap_pass_brigade(f->next, ctx->bb); > if (rv != APR_SUCCESS) { > + apr_brigade_cleanup(bb); > return rv; > } > } > > > I could not reproduce the segfault with Debian 5.0, containing Apache > 2.2.9 and php 5.2.8. The same for Debian unstable with 2.2.12 and php > 5.2.10. Therefore, I also tried to take the whole mod_deflate.c from > 2.2.9 into 2.2.3, but it did not fix the segfaults [2]. > > Is there some change from 2.2.3 to 2.2.9 (which cannot be in > mod_deflate.c) that fixes the issue? Or is it just coincidence that > 2.2.9 and 2.2.12 do not segfault and should the above patch be > included in the next 2.2.x? I don't know. Maybe at setaside is now done somewhere were it didn't happen before. I guess the best approach is to add the above patch to your backport and dig further. Nevertheless a backtrace of the segfault would help in any case to understand better what is going on and why it might not happen on more recent versions. Regards R�diger