Opened 5 years ago

Closed 4 years ago

#690 closed defect (invalid)

nginx + mod_security segfaults

Reported by: Igor D'Astolfo Owned by:
Priority: critical Milestone: 1.7.9
Component: nginx-core Version: 1.7.x
Keywords: proxy reverse mod_security Cc:
uname -a: Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.9
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
configure arguments: --add-module=../modsecurity-2.8.0/nginx/modsecurity

Description

I just made a test with nginx 1.7.9 and mod_security for nginx, following this tutorial: http://www.nginxtips.com/how-to-install-mod_security-on-nginx/

I configured nginx as reverse proxy with mod_security enabled. After few requests nginx was segfaulting, always when serving images. I checked the coredump, this is the output:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 ngx_http_upstream_copy_allow_ranges (r=0x2678680, h=0x7fff406e6f40, offset=<optimized out>) at src/http/ngx_http_upstream.c:4571
4571 if (r->upstream->conf->force_ranges) {

so I tried to set proxy_force_ranges flag in configuration and the segfault went away.

Note that if I turn off modsecurity the proxy alone works fine.


Change History (3)

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

The ModSecurity 3rd party module is known to be very unstable. AFAIK, it is not expected to work at all unless you are using nginx_refactoring branch. In either case, this isn't a proper place to report problems with ModSecurity, likely their issue tracker on GitHub is a correct place.

comment:2 by driehuis@…, 4 years ago

Resolution: invalid
Status: closedreopened

The ngx_http_upstream_copy_allow_ranges blindly dives into a a structure that gets passed around as an opaque object, so a caller can't reasonably be expected to check it for completeness.

This fix addresses the issue by checking that the conf member is set before derefencing it.

--- orig/nginx-1.7.9/src/http/ngx_http_upstream.c   2014-12-23 16:28:40.000000000 +0100
+++ nginx-1.7.9/src/http/ngx_http_upstream.c    2015-02-10 14:29:10.211240721 +0100
@@ -4569,5 +4569,5 @@
     ngx_table_elt_t  *ho;

-    if (r->upstream->conf->force_ranges) {
+    if (r->upstream->conf && r->upstream->conf->force_ranges) {
         return NGX_OK;
     }

comment:3 by Maxim Dounin, 4 years ago

Resolution: invalid
Status: reopenedclosed

The ngx_http_upstream_copy_allow_ranges() function is a handler called to copy headers within upstream module. It is expected to be only called when r->upstream exists and r->upstream->conf is set. If it's called with r->upstream->conf not set - it means the bug is elsewhere.

Note: See TracTickets for help on using tickets.