Opened 4 years ago

Closed 3 years ago

#690 closed defect (invalid)

nginx + mod_security segfaults

Reported by: i.dastolfo@… Owned by:
Priority: critical Milestone: 1.7.9
Component: nginx-core Version: 1.7.x
Keywords: proxy reverse mod_security Cc:
uname -a: Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.9 built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) configure arguments: --add-module=../modsecurity-2.8.0/nginx/modsecurity

Description

I just made a test with nginx 1.7.9 and mod_security for nginx, following this tutorial: http://www.nginxtips.com/how-to-install-mod_security-on-nginx/

I configured nginx as reverse proxy with mod_security enabled. After few requests nginx was segfaulting, always when serving images. I checked the coredump, this is the output:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 ngx_http_upstream_copy_allow_ranges (r=0x2678680, h=0x7fff406e6f40, offset=<optimized out>) at src/http/ngx_http_upstream.c:4571
4571 if (r->upstream->conf->force_ranges) {

so I tried to set proxy_force_ranges flag in configuration and the segfault went away.

Note that if I turn off modsecurity the proxy alone works fine.


Change History (3)

comment:1 Changed 4 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

The ModSecurity 3rd party module is known to be very unstable. AFAIK, it is not expected to work at all unless you are using nginx_refactoring branch. In either case, this isn't a proper place to report problems with ModSecurity, likely their issue tracker on GitHub is a correct place.

comment:2 Changed 3 years ago by driehuis@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

The ngx_http_upstream_copy_allow_ranges blindly dives into a a structure that gets passed around as an opaque object, so a caller can't reasonably be expected to check it for completeness.

This fix addresses the issue by checking that the conf member is set before derefencing it.

--- orig/nginx-1.7.9/src/http/ngx_http_upstream.c   2014-12-23 16:28:40.000000000 +0100
+++ nginx-1.7.9/src/http/ngx_http_upstream.c    2015-02-10 14:29:10.211240721 +0100
@@ -4569,5 +4569,5 @@
     ngx_table_elt_t  *ho;

-    if (r->upstream->conf->force_ranges) {
+    if (r->upstream->conf && r->upstream->conf->force_ranges) {
         return NGX_OK;
     }

comment:3 Changed 3 years ago by mdounin

  • Resolution set to invalid
  • Status changed from reopened to closed

The ngx_http_upstream_copy_allow_ranges() function is a handler called to copy headers within upstream module. It is expected to be only called when r->upstream exists and r->upstream->conf is set. If it's called with r->upstream->conf not set - it means the bug is elsewhere.

Note: See TracTickets for help on using tickets.