Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Segfault caused by passing certain characters to ngx.re.match #59

Closed
simpl opened this Issue · 3 comments

2 participants

@simpl

Hi,

When you pass certain characters to ngx.re.match, it can cause an infinite loop inside pcre, and thereby causes the server to segfault.

Here is an smallish example that does so on my system. Note: there are some non-ASCII characters in the code that crashes, which are almost certainly part of the cause. These may or may not display properly on Github. If you copy the code and it doesn't cause a crash, let me know, and I'll send you the code directly.

location /crash {

content_by_lua '

local str = [[
echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_; echo END; echo $?; exit
root@proxy4:~# echo "#!/bin/sh" > /tmp/simpl.$$; echo "cd /simpl/conf/run; rm
/tmp/simpl.$$; echo "cd /simpl/conf/run; rm �������������������������-Rf simpl-bak; mv -fT voc

< "cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT vocr �������������������������e simpl-bak; tar -xzf voc

<Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf vocr �������������������������e.tar.gz; echo -n hello"

< simpl-bak; tar -xzf simpl.tar.gz; echo -n hello" > �������������������������> /tmp/simpl.$$; chmod +x

<.tar.gz; echo -n hello" >> /tmp/simpl.$$; chmod +x �������������������������/tmp/simpl.$$; echo; echo

< /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo �������������������������-n SIMPL_; echo BEGIN; /t

<tmp/simpl.$$; echo; echo -n SIMPL_; echo BEGIN; /tm �������������������������p/simpl.$$; echo -n SIMPL

<n SIMPL_; echo BEGIN; /tmp/simpl.$$; echo -n SIMPL_ �������������������������; echo END; echo $?; exit

SIMPL_BEGIN
helloSIMPL_END
0
logout
Connection to 96.126.107.244 closed.
]]

local regex = "(?|.|\\n)SIMPL_BEGIN((?|.|\\n))\\n([0-9]+)\\sSIMPL_END(?|.|\\n)"

ngx.re.match (str, regex, "m")

';
}

Here are the related entries in the debug log:

011/09/13 19:10:39 [debug] 29042#0: 1 access phase: 8
2011/09/13 19:10:39 [debug] 29042#0: *1 post access phase: 9
2011/09/13 19:10:39 [debug] 29042#0: *1 lua reset ctx
2011/09/13 19:10:39 [debug] 29042#0: *1 lua creating new thread
2011/09/13 19:10:39 [debug] 29042#0: *1 http cleanup add: 0823F04C
2011/09/13 19:10:39 [debug] 29042#0: *1 lua run thread
2011/09/13 19:10:39 [debug] 29042#0: *1 lua compiling match regex "(?|.|\n)
SIMPL_BEGIN((?|.|\n))\n([0-9]+)\sSIMPL_END(?|.|\n)*" with options "m" (compile once: 0)
2011/09/13 19:10:39 [notice] 29040#0: signal 17 (SIGCHLD) received
2011/09/13 19:10:39 [alert] 29040#0: worker process 29042 exited on signal 11 (core dumped)
2011/09/13 19:10:39 [debug] 29040#0: wake up, sigio 0

And the dbg backtrace from the dumped core:

Program terminated with signal 11, Segmentation fault.
#0 0xb744672d in ?? () from /lib/libpcre.so.3
(gdb) bt full
#0 0xb744672d in ?? () from /lib/libpcre.so.3
No symbol table info available.
#1 0xb7441b04 in ?? () from /lib/libpcre.so.3
No symbol table info available.
#2 0xb7446767 in ?? () from /lib/libpcre.so.3
...
#2595 0xb744db45 in pcre_exec () from /lib/libpcre.so.3
No symbol table info available.
#2596 0x081196d9 in ngx_http_lua_ngx_re_match (L=0xb72741e0) at /simpl/dev/lua-nginx-module/src/ngx_http_lua_regex.c:235
r = 0x824c6a8
subj = {len = 1454,
data = 0xb7276018 "echo \"#!/bin/sh\" > /tmp/simpl.$$; echo \"cd /simpl/conf/run; rm -Rf simpl-bak; mv -fT simpl simpl-bak; tar -xzf simpl.tar.gz; echo -n hello\" >> /tmp/simpl.$$; chmod +x /tmp/simpl.$$; echo; echo -n SIMP"...}
pat = {len = 62, data = 0xb72742a8 "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\sSIMPL_END(?|.|\n)"}
opts = {len = 1, data = 0xb72743c8 "m"}
re_comp = {pattern = {len = 62, data = 0xb72742a8 "(?|.|\n)SIMPL_BEGIN((?|.|\n))\n([0-9]+)\sSIMPL_END(?|.|\n)"}, pool = 0x823e630,
---Type to continue, or q to quit---
options = 2, regex = 0x823f058, captures = 2, named_captures = 0, name_size = 0, names = 0x0, err = {len = 1024, data = 0xbfd4c847 ""}}
re = 0xb72741e0
msg = 0xb726d318 "\300\301&\267"
rc = 0
n = 12
i = 0
pos = 0
nargs = 3
cap = 0x823f10c
ovecsize = 9
comp_once = 0
pool = 0x823e630
lmcf = 0x0
errstr = '\000' , "\020\003'\267\360\301&\267a\316e\267\000\000\000\000\230\366&\267\000\000\000\000\005\323e\267\f\000\000\000\377\377\377\377\377\377\377\377h\300&\267\310@'\267\204", '\000' "\360, \301&\267\000\000\000\000\320\312j\267\300\301&\267\360\301&\267\\000\000\000\363\314e\267\b\300&\267\000\000\000\000\000\000\000\000\\000\000\000\\000\000\000l\311Կ\270\314Կީf\267+A'\267\000X'\267\001\000\000\000\344\315e\267\270\314ԿX@'\267`}j\267&\212f\267\000\000\000\000\003\000\000\000\270\314Կl\311Կ\320@'\267\000\000\000\000\000\000\000\000\300\301&\267!\000\000\000X\000\000\000\000\000\000\000[\000\000\000X\000\000\000X\000\000\000;\201f\267\320\312j\267\270\314Կ\300\301&\267l\311Կ\320\312j\267\270\314Կ\300\301&\267l\311Կ'\331f\267\270\314Կ\302Z\026\b\016\000\000\000p\311Կ\263\017\065\267\003\000\000\000\n\000\000\000\250@'\267\270\314Կ\300\301&\267\000\000\000\000\000\000\000\000\004\000\000\000\000\000\000\000\377"...
#2597 0xb765ac47 in ?? () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2
No symbol table info available.
#2598 0xb7665426 in lua_resume () from /usr/local/simpl/luajit/default/lib/libluajit-5.1.so.2
No symbol table info available.
#2599 0x00000000 in ?? ()

I think this is a relatively serious issue should you end up parsing code that you do not fully control. The same code also caused segfaults with rex_lua(pcre), and it would seem to me that the issue is probably PCRE-related. I'm not sure if there's any way to mitigate the issue without patching PCRE. I'll try to look into this issue myself at some point.

Cheers,

Marcus.

@agentzh
Owner

Please send the raw bytes to me and I'd like to have a look :)

@agentzh
Owner

@simpl Are you still able to reproduce this with the latest versions of ngx_lua and PCRE? If yes, please provide me a minimized but still complete example if possible. Thank you!

@agentzh
Owner

Consider it resolved. Feel free to reopen this when you can reproduce this with a standalone example.

@agentzh agentzh closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.