New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault in http_parser_execute #4

Closed
SaltwaterC opened this Issue Feb 13, 2012 · 2 comments

Comments

Projects
None yet
3 participants
@SaltwaterC

SaltwaterC commented Feb 13, 2012

I managed to crash the process by using a couple of methods.

First method: sending an incomplete request. Proof of concept script:

#!/usr/bin/env python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 1337))
s.send("GET / HTTP/1.0\r\n")
s.close()

This is what gdb says:

Starting program: /home/saltwater/node.native/webserver 
[Thread debugging using libthread_db enabled]
Server running at http://0.0.0.0:1337/

Program received signal SIGSEGV, Segmentation fault.
0x0000000000434454 in http_parser_execute ()
(gdb) info registers
rax            0x16     22
rbx            0x6507a0 6621088
rcx            0xffffffffffffffff       -1
rdx            0x0      0
rsi            0xfffffffffffffffe       -2
rdi            0x2a     42
rbp            0x0      0x0
rsp            0x7fffffffe5e0   0x7fffffffe5e0
r8             0x0      0
r9             0x438d70 4427120
r10            0xffffffffffffffff       -1
r11            0xffffffffffffffff       -1
r12            0xffffffff       4294967295
r13            0x0      0
r14            0x0      0
r15            0x0      0
rip            0x434454 0x434454 <http_parser_execute+180>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

The second method: hammering the server with lots of requests at high concurrency. Proof of concept:

ab -k -n 1000000 -c 1000 http://127.0.0.1:1337/

The gdb output looks again familiar:


Starting program: /home/saltwater/node.native/webserver 
[Thread debugging using libthread_db enabled]
Server running at http://0.0.0.0:1337/

Program received signal SIGSEGV, Segmentation fault.
0x0000000000434454 in http_parser_execute ()
(gdb) info registers 
rax            0xfffffffd       4294967293
rbx            0x7a1ae0 8002272
rcx            0xffffffffffffffff       -1
rdx            0x0      0
rsi            0xfffffffffffffffe       -2
rdi            0x11     17
rbp            0x0      0x0
rsp            0x7fffffffe5e0   0x7fffffffe5e0
r8             0x0      0
r9             0x438d70 4427120
r10            0xffffffffffffffff       -1
r11            0xffffffffffffffff       -1
r12            0xffffffff       4294967295
r13            0x0      0
r14            0x0      0
r15            0x0      0
rip            0x434454 0x434454 <http_parser_execute+180>
eflags         0x10293  [ CF AF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Things that looks suspicious: the r12 register that holds the 2^32-1 value, and in the second case, the rax register that goes close to that value, therefore it may look like some sort of overflow.

The system is an Ubuntu 11.10 amd64 (running as chroot under 10.04).

@d5

This comment has been minimized.

Owner

d5 commented Feb 13, 2012

Callback parameter of stream::read_start() is definitely misleading, and that's why I made a mistake here.
In case getting EOF while reading from the stream, the first parameter, buf is null pointer. But, in client_context::parse(), there were no such error check. I will fix this issue.

Thanks.

kennethho pushed a commit to kennethho/node.native that referenced this issue Dec 17, 2012

unix: undo changes to uv_set_process_title()
It's making node.js crash when run as root. Backtrace:

  (gdb) bt
  #0  0x00007fff856e3ff9 in __findenv ()
  d5#1  0x00007fff856e404c in getenv ()
  d5#2  0x000000010004c850 in loop_init (loop=0x10045a792, flags=8) at ev.c:1707
  d5#3  0x000000010004cb3b in ev_backend [inlined] () at /Users/tjfontaine/Development/node/deps/uv/src/unix/ev/ev.c:2090
  d5#4  0x000000010004cb3b in ev_default_loop (flags=1606417108) at ev.c:2092
  d5#5  0x000000010004e5c6 in uv__loop_init (loop=0x10066e330, default_loop=1) at loop.c:52
  d5#6  0x0000000100044367 in uv_default_loop () at core.c:196
  d5#7  0x0000000100004625 in node::Init (argc=1606417456, argv=0x100b0f490) at node.cc:2761
  d5#8  0x000000010000797d in node::Start (argc=1606417600, argv=0x0) at node.cc:2888
  d5#9  0x0000000100000ca4 in start ()

This reverts commits:

  b49d6f7 unix: fix uv_set_process_title()
  a9f6f06 unix: fix format string vulnerability in freebsd.c
  a87abc7 unix: avoid buffer overflow in proctitle.c
  dc97d44 unix: move uv_set_process_title() to proctitle.c
@divanvisagie

This comment has been minimized.

Collaborator

divanvisagie commented Jan 27, 2013

Closing on account of age , if you still have the issue , please comment and I will reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment