Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Segfault caused by passing certain characters to ngx.re.match #59

Closed
simpl opened this Issue Sep 13, 2011 · 3 comments

Comments

Projects
None yet
2 participants

simpl commented Sep 13, 2011

Hi,

When you pass certain characters to ngx.re.match, it can cause an infinite loop inside pcre, and thereby causes the server to segfault.

Here is an smallish example that does so on my system. Note: there are some non-ASCII characters in the code that crashes, which are almost certainly part of the cause. These may or may not display properly on Github. If you copy the code and it doesn't cause a crash, let me know, and I'll send you the code directly.

location /crash {

content_by_lua '

local str = [[
echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_; echo END; echo $?; exit
root@proxy4:~# echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm
</sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm �������������������������-Rf simpl-bak; mv -fT voc

< "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT vocr �������������������������e simpl-bak; tar -xzf voc

<Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf vocr �������������������������e.tar.gz; echo -n hello"

< simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" > �������������������������> /tmp/simpl.$$; chmod +x

<.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x �������������������������/tmp/simpl.$$; echo; echo

< /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo �������������������������-n SIMPL_; echo BEGIN; /t

<tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tm �������������������������p/simpl.$$; echo -n SIMPL

<n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_ �������������������������; echo END; echo $?; exit

SIMPL_BEGIN
helloSIMPL_END
0
logout
Connection to 96.126.107.244 closed.
]]

local regex = "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\s_SIMPL_END(?|.|\n)_"

ngx.re.match (str, regex, "m")

';
}

Here are the related entries in the debug log:

011/09/13 19:10:39 [debug] 29042#0: _1 access phase: 8
2011/09/13 19:10:39 [debug] 29042#0: *1 post access phase: 9
2011/09/13 19:10:39 [debug] 29042#0: *1 lua reset ctx
2011/09/13 19:10:39 [debug] 29042#0: *1 lua creating new thread
2011/09/13 19:10:39 [debug] 29042#0: *1 http cleanup add: 0823F04C
2011/09/13 19:10:39 [debug] 29042#0: *1 lua run thread
2011/09/13 19:10:39 [debug] 29042#0: 1 lua compiling match regex "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\s_SIMPL_END(?|.|\n)" with options "m" (compile once: 0)
2011/09/13 19:10:39 [notice] 29040#0: signal 17 (SIGCHLD) received
2011/09/13 19:10:39 [alert] 29040#0: worker process 29042 exited on signal 11 (core dumped)
2011/09/13 19:10:39 [debug] 29040#0: wake up, sigio 0

And the dbg backtrace from the dumped core:

Program terminated with signal 11, Segmentation fault.
#0 0xb744672d in ?? () from /lib/libpcre.so.3

(gdb) bt full
#0 0xb744672d in ?? () from /lib/libpcre.so.3

No symbol table info available.
#1 0xb7441b04 in ?? () from /lib/libpcre.so.3

No symbol table info available.
#2 0xb7446767 in ?? () from /lib/libpcre.so.3

...
#2595 0xb744db45 in pcre_exec () from /lib/libpcre.so.3

No symbol table info available.
#2596 0x081196d9 in ngx_http_lua_ngx_re_match (L=0xb72741e0) at /simpl/dev/lua-nginx-module/src/ngx_http_lua_regex.c:235

    r = 0x824c6a8
    subj = {len = 1454, 
      data = 0xb7276018 "echo \"#!/bin/sh\" > /tmp/simpl.$$; echo \"cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf simpl.tar.gz; echo -n hello\" >> /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo -n SIMP"...}
    pat = {len = 62, data = 0xb72742a8 "(?|.|\\n)*SIMPL_BEGIN((?|.|\\n)*)\\n([0-9]+)\\s*SIMPL_END(?|.|\\n)*"}
    opts = {len = 1, data = 0xb72743c8 "m"}
    re_comp = {pattern = {len = 62, data = 0xb72742a8 "(?|.|\\n)*SIMPL_BEGIN((?|.|\\n)*)\\n([0-9]+)\\s*SIMPL_END(?|.|\\n)*"}, pool = 0x823e630, 

---Type to continue, or q to quit---
options = 2, regex = 0x823f058, captures = 2, named_captures = 0, name_size = 0, names = 0x0, err = {len = 1024, data = 0xbfd4c847 ""}}
re = 0xb72741e0
msg = 0xb726d318 "\300\301&\267"
rc = 0
n = 12
i = 0
pos = 0
nargs = 3
cap = 0x823f10c
ovecsize = 9
comp_once = 0
pool = 0x823e630
lmcf = 0x0
errstr = '\000' <repeats 13 times>, "\020\003'\267\360\301&\267a\316e\267\000\000\000\000\230\366&\267\000\000\000\000\005\323e\267\f\000\000\000\377\377\377\377\377\377\377\377h\300&\267\310@'\267\204", '\000' <repeats 15 times>"\360, \301&\267\000\000\000\000\320\312j\267\300\301&\267\360\301&\267\000\000\000\363\314e\267\b\300&\267\000\000\000\000\000\000\000\000\000\000\000\000\000\000l\311Կ\270\314Կީf\267+A'\267\000X'\267\001\000\000\000\344\315e\267\270\314ԿX@'\267`}j\267&\212f\267\000\000\000\000\003\000\000\000\270\314Կl\311Կ\320@'\267\000\000\000\000\000\000\000\000\300\301&\267!\000\000\000X\000\000\000\000\000\000\000[\000\000\000X\000\000\000X\000\000\000;\201f\267\320\312j\267\270\314Կ\300\301&\267l\311Կ\320\312j\267\270\314Կ\300\301&\267l\311Կ'\331f\267\270\314Կ\302Z\026\b\016\000\000\000p\311Կ\263\017\065\267\003\000\000\000\n\000\000\000\250@'\267\270\314Կ\300\301&\267\000\000\000\000\000\000\000\000\004\000\000\000\000\000\000\000\377"...
#2597 0xb765ac47 in ?? () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2

No symbol table info available.
#2598 0xb7665426 in lua_resume () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2

No symbol table info available.
#2599 0x00000000 in ?? ()

I think this is a relatively serious issue should you end up parsing code that you do not fully control. The same code also caused segfaults with rex_lua(pcre), and it would seem to me that the issue is probably PCRE-related. I'm not sure if there's any way to mitigate the issue without patching PCRE. I'll try to look into this issue myself at some point.

Cheers,

Marcus.

Owner

agentzh commented Sep 14, 2011

Please send the raw bytes to me and I'd like to have a look :)

Owner

agentzh commented Sep 8, 2013

@simpl Are you still able to reproduce this with the latest versions of ngx_lua and PCRE? If yes, please provide me a minimized but still complete example if possible. Thank you!

Owner

agentzh commented Jun 20, 2014

Consider it resolved. Feel free to reopen this when you can reproduce this with a standalone example.

@agentzh agentzh closed this Jun 20, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment