Opened 7 years ago

Closed 7 years ago

#528 closed defect (fixed)

crash on win32 with shared ssl_session_cache

Reported by: E Cleton Owned by:
Priority: trivial Milestone:
Component: nginx-core Version: 1.5.x
Keywords: ssl_session_cache win32 Cc:
uname -a:
nginx -V: nginx version: nginx/1.5.12 (from http://nginx.org/download/)
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= -
-conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access
.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fast
cgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsg
i-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.34 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --wi
th-http_realip_module --with-http_addition_module --with-http_sub_module --with-
http_dav_module --with-http_stub_status_module --with-http_flv_module --with-htt
p_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-htt
p_auth_request_module --with-http_random_index_module --with-http_secure_link_mo
dule --with-mail --with-openssl=objs.msvc8/lib/openssl-1.0.1f --with-openssl-opt
=enable-tlsext --with-http_ssl_module --with-mail_ssl_module --with-ipv6

Description

crash while attempting to use ssl_session_cache

XP SP3, 32bit

nginx version: nginx/1.5.12 (from http://nginx.org/download/)
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= -
-conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access
.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fast
cgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsg
i-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.34 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --wi
th-http_realip_module --with-http_addition_module --with-http_sub_module --with-
http_dav_module --with-http_stub_status_module --with-http_flv_module --with-htt
p_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-htt
p_auth_request_module --with-http_random_index_module --with-http_secure_link_mo
dule --with-mail --with-openssl=objs.msvc8/lib/openssl-1.0.1f --with-openssl-opt
=enable-tlsext --with-http_ssl_module --with-mail_ssl_module --with-ipv6

curl -i -k "https://127.0.0.1"

2014/04/01 11:06:32 [debug] 812#1860: *1 post event 04870108
2014/04/01 11:06:32 [debug] 812#1860: timer delta: 20
2014/04/01 11:06:32 [debug] 812#1860: posted events 04870108
2014/04/01 11:06:32 [debug] 812#1860: posted event 04870108
2014/04/01 11:06:32 [debug] 812#1860: *1 delete posted event 04870108
2014/04/01 11:06:32 [debug] 812#1860: *1 SSL handshake handler: 0
2014/04/01 11:06:32 [debug] 812#1860: shmtx lock
2014/04/01 11:06:32 [debug] 764#768: master WaitForMultipleObjects: 4
2014/04/01 11:06:32 [debug] 764#768: reap worker
2014/04/01 11:06:32 [notice] 764#768: worker process 812 exited with code C0000005
2014/04/01 11:06:32 [debug] 764#768: GetModuleFileName: "C:\nginx\nginx.exe"
2014/04/01 11:06:32 [notice] 764#768: start worker process 140
2014/04/01 11:06:32 [debug] 140#772: malloc: 00A74730:19
2014/04/01 11:06:32 [debug] 140#772: malloc: 00A74730:19
2014/04/01 11:06:32 [debug] 140#772: malloc: 00A74730:19
2014/04/01 11:06:32 [debug] 140#772: malloc: 00A73670:16
2014/04/01 11:06:32 [debug] 140#772: bind() 0.0.0.0:80 #168
2014/04/01 11:06:32 [debug] 140#772: bind() 0.0.0.0:443 #176

Caused by using:
ssl_session_cache shared:SSL:10m;

No ASLR or DEP in use, shared memory works, for example:
limit_req_zone $binary_remote_addr zone=floodp:20m rate=64r/s;
does not crash and works as it suppose to work.

Might be related to http://trac.nginx.org/nginx/ticket/235 (suggested patches tried but does not solve this issue)

Change History (6)

comment:1 by Maxim Dounin, 7 years ago

Have you tried to move ssl_session_cache to the http{} level, as suggested by this comment to ticket #235?

comment:2 by E Cleton, 7 years ago

Yes both in server{} and http{} tried and both crash the same way.
and just tested with 1.2.9 and 1.4.7, same results, ssl_session_cache has not been working for over a year and may have never worked.

comment:3 by Maxim Dounin, 7 years ago

Keywords: win32 added
Status: newaccepted
Summary: crash while attempting to use ssl_session_cachecrash on win32 with shared ssl_session_cache

I was able to reproduce the crash. Apparently shared ssl_session_cache indeed broken on win32 except when running without master process. There isn't much sense to use shared session cache on win32 as there is only one worker process currently supported, but anyway it shouldn't segfault.

The following patch should fix the problem:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1804,13 +1804,13 @@ ngx_ssl_session_cache_init(ngx_shm_zone_
         return NGX_OK;
     }
 
+    shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
+
     if (shm_zone->shm.exists) {
-        shm_zone->data = data;
+        shm_zone->data = shpool->data;
         return NGX_OK;
     }
 
-    shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
-
     cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
     if (cache == NULL) {
         return NGX_ERROR;

The root cause is that in a worker process shm_zone->data was set incorrectly (it was set to NULL instead of a proper value extracted from shared memory).

comment:4 by E Cleton, 7 years ago

Confirmed this patch solves the issue including multiple workers and with ASLR, I'll include it into the next release, Snowman. Thanks Maxim!

comment:5 by Maxim Dounin <mdounin@…>, 7 years ago

In 4c6ceca4f5f71d6bcbceb0744ed82cdd8ce5906e/nginx:

Win32: fixed shared ssl_session_cache (ticket #528).

In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.

comment:6 by Maxim Dounin, 7 years ago

Resolution: fixed
Status: acceptedclosed

Fix committed, thanks.

Note: See TracTickets for help on using tickets.