Opened 6 years ago

Closed 2 months ago

Last modified 5 weeks ago

#1263 closed defect (fixed)

Segmentation Fault when SSI is used in sub-request

Reported by: peter.magdina.sk@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.11.x
Keywords: Cc:
uname -a: Darwin xxxxxx.local 16.5.0 Darwin Kernel Version 16.5.0: Fri Mar 3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64
nginx -V: nginx version: nginx/1.12.0
built by clang 8.1.0 (clang-802.0.41)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-O2 -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=spnego-http-auth-nginx-module-master --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-http_v2_module --with-threads --with-http_slice_module --user=nginx --group=nginx --prefix=/opt/nginx --error-log-path=/opt/nginx/log/error.log --http-log-path=/opt/nginx/log/access.log --pid-path=/opt/nginx/run/nginx.pid --lock-path=/opt/nginx/run/nginx --http-client-body-temp-path=/opt/nginx/cache/client --http-proxy-temp-path=/opt/nginx/cache/proxy --http-fastcgi-temp-path=/opt/nginx/cache/fastcgi --http-uwsgi-temp-path=/opt/nginx/cache/uwsgi --http-scgi-temp-path=/opt/nginx/cache/scgi

Description

Hi,

nginx worker process crashes with segfault when SSI is used in a sub-request.

Config example:

    location /loc1.html {
        add_after_body /loc2.html;
    }

    location /loc2.html {
        ssi on;
    }

Seg fault happens only when I access /loc1.html location. When I access /loc2.html directly it works fine.

Error log:

==> ../log/error.log <==
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14566 exited on signal 11
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14573 exited on signal 11

Just FYI, content of loc1.html:

<p>Hi from location 1 !</p>

content of loc2.html:

<p>Hi from location 2 on <!--#echo var="host" --> !</p>

I tried to debug it and fix it, but due to the time I stopped here:
file ngx_http_ssi_filter_module.c:

static ngx_str_t *
ngx_http_ssi_get_variable(ngx_http_request_t *r, ngx_str_t *name,
    ngx_uint_t key)
{
    ngx_uint_t           i;
    ngx_list_part_t     *part;
    ngx_http_ssi_var_t  *var;
    ngx_http_ssi_ctx_t  *ctx;

    ctx = ngx_http_get_module_ctx(r->main, ngx_http_ssi_filter_module);

    ...

ctx is NULL. SSI context is missing when SSI is called in a subrequest.

And then the subsequent code will cause segfault, because ctx is NULL:

    if (ctx->variables == NULL) {
        return NULL;
    }

I added some additional debug logs to the code around the ctx = ngx_http_get_module_ctx(....) line. And this is the output:

2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main: 00007FE3FC006E50
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main->ctx: 00007FE3FC007770, module.ctx_index: 46
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable ctx: 0000000000000000

Cheers
Peter Magdina

Change History (4)

comment:1 by Maxim Dounin, 6 years ago

Status: newaccepted

Thanks for the report, looks like a generic problem in the SSI module. It was written when there were no subrequests except subrequests created by the SSI module itself, and assumes in many places that its context always exists in the main request. This needs to be fixed.

comment:2 by Maxim Dounin, 3 months ago

See here for an attempt to fix this.

Last edited 5 weeks ago by Maxim Dounin (previous) (diff)

comment:3 by Ciel Zhao <i@…>, 3 months ago

In 8102:49e7db44b57c/nginx:

SSI: handling of subrequests from other modules (ticket #1263).

As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.

However, ngx_http_get_module_ctx(r->main, ...) is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.

This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.

comment:4 by Maxim Dounin, 2 months ago

Resolution: fixed
Status: acceptedclosed

Fix committed, thanks to all involved.

Note: See TracTickets for help on using tickets.