Opened 10 years ago
Closed 9 years ago
#690 closed defect (invalid)
nginx + mod_security segfaults
Reported by: | Igor D'Astolfo | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | 1.7.9 |
Component: | nginx-core | Version: | 1.7.x |
Keywords: | proxy reverse mod_security | Cc: | |
uname -a: | Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.7.9
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) configure arguments: --add-module=../modsecurity-2.8.0/nginx/modsecurity |
Description
I just made a test with nginx 1.7.9 and mod_security for nginx, following this tutorial: http://www.nginxtips.com/how-to-install-mod_security-on-nginx/
I configured nginx as reverse proxy with mod_security enabled. After few requests nginx was segfaulting, always when serving images. I checked the coredump, this is the output:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ngx_http_upstream_copy_allow_ranges (r=0x2678680, h=0x7fff406e6f40, offset=<optimized out>) at src/http/ngx_http_upstream.c:4571
4571 if (r->upstream->conf->force_ranges) {
so I tried to set proxy_force_ranges flag in configuration and the segfault went away.
Note that if I turn off modsecurity the proxy alone works fine.
Change History (3)
comment:1 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 9 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
The ngx_http_upstream_copy_allow_ranges blindly dives into a a structure that gets passed around as an opaque object, so a caller can't reasonably be expected to check it for completeness.
This fix addresses the issue by checking that the conf member is set before derefencing it.
--- orig/nginx-1.7.9/src/http/ngx_http_upstream.c 2014-12-23 16:28:40.000000000 +0100 +++ nginx-1.7.9/src/http/ngx_http_upstream.c 2015-02-10 14:29:10.211240721 +0100 @@ -4569,5 +4569,5 @@ ngx_table_elt_t *ho; - if (r->upstream->conf->force_ranges) { + if (r->upstream->conf && r->upstream->conf->force_ranges) { return NGX_OK; }
comment:3 by , 9 years ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
The ngx_http_upstream_copy_allow_ranges() function is a handler called to copy headers within upstream module. It is expected to be only called when r->upstream exists and r->upstream->conf is set. If it's called with r->upstream->conf not set - it means the bug is elsewhere.
The ModSecurity 3rd party module is known to be very unstable. AFAIK, it is not expected to work at all unless you are using nginx_refactoring branch. In either case, this isn't a proper place to report problems with ModSecurity, likely their issue tracker on GitHub is a correct place.