apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 64324] New: SIGSEGV in apr_bucket_free()
Date Thu, 09 Apr 2020 11:37:05 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=64324

            Bug ID: 64324
           Summary: SIGSEGV in apr_bucket_free()
           Product: APR
           Version: 1.5.4
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR-util
          Assignee: bugs@apr.apache.org
          Reporter: guerinp@talasi.fr
  Target Milestone: ---

Hello to all,

OS : Linux Debian 9 32bits
Apache2 2.4.25-3+deb9u9
libaprutil1 1.5.4-3
libapache2-mod-fcgid 1:2.3.9-1+b1

When uploading a huge file (~500 MB) in POST request through mod_fcgid, I got a
SIGSEGV (the crash was logged in error.log).

So I've loaded debug symbols and made the necessary to produce a core file.

Here's the backtrace :
#0  apr_bucket_free (mem=0x0) at ./buckets/apr_buckets_alloc.c:194
#1  0xb7716c06 in file_bucket_read (e=0xa75b6918, str=0xb3ff4c18,
len=0xb3ff4c14, block=APR_BLOCK_READ) at ./buckets/apr_buckets_file.c:125
#2  0xb73b7f6f in proc_write_ipc (ipc_handle=0xb698f3a8,
output_brigade=0xb698eb30) at fcgid_proc_unix.c:776
#3  0xb73b0c0a in handle_request_ipc (location_ptr=<optimized out>,
bucket_ctx=<optimized out>, output_brigade=<optimized out>, role=<optimized
out>, r=<optimized out>)
    at fcgid_bridge.c:302
#4  handle_request (r=0x0, role=1, cmd_conf=0xb698e298,
output_brigade=0xb698eb30) at fcgid_bridge.c:488
#5  0xb73b0fe5 in bridge_request (r=0xb697d058, role=1, cmd_conf=0xb698e298) at
fcgid_bridge.c:776
#6  0xb73af834 in fcgid_handler (r=0xb697d058) at mod_fcgid.c:290
#7  0x004839b7 in ?? ()
#8  0xb697d058 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

I don't know exactly why mem is NULL, but the fact is that apr_bucket_free does
not check the input pointer before dereferencing it.

I've check uptodate 1.7.x release of apr_buckets_alloc.c.
The same behaviour can happen.

Kind regards,
Patrice.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message