Segfault caused by passing certain characters to ngx.re.match #59
Comments
|
Please send the raw bytes to me and I'd like to have a look :) |
|
@simpl Are you still able to reproduce this with the latest versions of ngx_lua and PCRE? If yes, please provide me a minimized but still complete example if possible. Thank you! |
|
Consider it resolved. Feel free to reopen this when you can reproduce this with a standalone example. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
When you pass certain characters to ngx.re.match, it can cause an infinite loop inside pcre, and thereby causes the server to segfault.
Here is an smallish example that does so on my system. Note: there are some non-ASCII characters in the code that crashes, which are almost certainly part of the cause. These may or may not display properly on Github. If you copy the code and it doesn't cause a crash, let me know, and I'll send you the code directly.
location /crash {
content_by_lua '
local str = [[
echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_; echo END; echo $?; exit
root@proxy4:~# echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm
</sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm �������������������������-Rf simpl-bak; mv -fT voc
< "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT vocr �������������������������e simpl-bak; tar -xzf voc
<Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf vocr �������������������������e.tar.gz; echo -n hello"
< simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" > �������������������������> /tmp/simpl.$$; chmod +x
<.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x �������������������������/tmp/simpl.$$; echo; echo
< /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo �������������������������-n SIMPL_; echo BEGIN; /t
<tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tm �������������������������p/simpl.$$; echo -n SIMPL
<n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_ �������������������������; echo END; echo $?; exit
SIMPL_BEGIN
helloSIMPL_END
0
logout
Connection to 96.126.107.244 closed.
]]
local regex = "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\s_SIMPL_END(?|.|\n)_"
ngx.re.match (str, regex, "m")
';
}
Here are the related entries in the debug log:
011/09/13 19:10:39 [debug] 29042#0: _1 access phase: 8
2011/09/13 19:10:39 [debug] 29042#0: *1 post access phase: 9
2011/09/13 19:10:39 [debug] 29042#0: *1 lua reset ctx
2011/09/13 19:10:39 [debug] 29042#0: *1 lua creating new thread
2011/09/13 19:10:39 [debug] 29042#0: *1 http cleanup add: 0823F04C
2011/09/13 19:10:39 [debug] 29042#0: *1 lua run thread
2011/09/13 19:10:39 [debug] 29042#0: 1 lua compiling match regex "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\s_SIMPL_END(?|.|\n)" with options "m" (compile once: 0)
2011/09/13 19:10:39 [notice] 29040#0: signal 17 (SIGCHLD) received
2011/09/13 19:10:39 [alert] 29040#0: worker process 29042 exited on signal 11 (core dumped)
2011/09/13 19:10:39 [debug] 29040#0: wake up, sigio 0
And the dbg backtrace from the dumped core:
Program terminated with signal 11, Segmentation fault.
#0 0xb744672d in ?? () from /lib/libpcre.so.3
(gdb) bt full
#0 0xb744672d in ?? () from /lib/libpcre.so.3
No symbol table info available.
#1 0xb7441b04 in ?? () from /lib/libpcre.so.3
No symbol table info available.
#2 0xb7446767 in ?? () from /lib/libpcre.so.3
...
#2595 0xb744db45 in pcre_exec () from /lib/libpcre.so.3
No symbol table info available.
#2596 0x081196d9 in ngx_http_lua_ngx_re_match (L=0xb72741e0) at /simpl/dev/lua-nginx-module/src/ngx_http_lua_regex.c:235
---Type to continue, or q to quit---
options = 2, regex = 0x823f058, captures = 2, named_captures = 0, name_size = 0, names = 0x0, err = {len = 1024, data = 0xbfd4c847 ""}}
re = 0xb72741e0
msg = 0xb726d318 "\300\301&\267"
rc = 0
n = 12
i = 0
pos = 0
nargs = 3
cap = 0x823f10c
ovecsize = 9
comp_once = 0
pool = 0x823e630
lmcf = 0x0
errstr = '\000' <repeats 13 times>, "\020\003'\267\360\301&\267a\316e\267\000\000\000\000\230\366&\267\000\000\000\000\005\323e\267\f\000\000\000\377\377\377\377\377\377\377\377h\300&\267\310@'\267\204", '\000' <repeats 15 times>"\360, \301&\267\000\000\000\000\320\312j\267\300\301&\267\360\301&\267\000\000\000\363\314e\267\b\300&\267\000\000\000\000\000\000\000\000\000\000\000\000\000\000l\311Կ\270\314Կީf\267+A'\267\000X'\267\001\000\000\000\344\315e\267\270\314ԿX@'\267`}j\267&\212f\267\000\000\000\000\003\000\000\000\270\314Կl\311Կ\320@'\267\000\000\000\000\000\000\000\000\300\301&\267!\000\000\000X\000\000\000\000\000\000\000[\000\000\000X\000\000\000X\000\000\000;\201f\267\320\312j\267\270\314Կ\300\301&\267l\311Կ\320\312j\267\270\314Կ\300\301&\267l\311Կ'\331f\267\270\314Կ\302Z\026\b\016\000\000\000p\311Կ\263\017\065\267\003\000\000\000\n\000\000\000\250@'\267\270\314Կ\300\301&\267\000\000\000\000\000\000\000\000\004\000\000\000\000\000\000\000\377"...
#2597 0xb765ac47 in ?? () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2
No symbol table info available.
#2598 0xb7665426 in lua_resume () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2
No symbol table info available.
#2599 0x00000000 in ?? ()
I think this is a relatively serious issue should you end up parsing code that you do not fully control. The same code also caused segfaults with rex_lua(pcre), and it would seem to me that the issue is probably PCRE-related. I'm not sure if there's any way to mitigate the issue without patching PCRE. I'll try to look into this issue myself at some point.
Cheers,
Marcus.
The text was updated successfully, but these errors were encountered: