You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/04/20 13:05:23 UTC

[Bug 66021] New: Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

            Bug ID: 66021
           Summary: Segmentation fault in libcpre when processing
                    RedirectMatch rule for a long request path
           Product: Apache httpd-2
           Version: 2.4.53
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_alias
          Assignee: bugs@httpd.apache.org
          Reporter: szymek.655@gmail.com
  Target Milestone: ---

Created attachment 38254
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38254&action=edit
Crash backtrace

Apache worker process crashes with a segmentation fault when processing a
request with path that is longer than 145 characters when virtual host has a
redirect rule

RedirectMatch 301 "^((?!/[a-z][a-z]_[A-Z][A-Z]).)*/p/[0-9]+$" "/en_EN$0"

For example:
There is no crash for 138 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/suffix
There is a crash for 148 characters:  GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix


Relevant logs from the crash:
[proxy_balancer:trace1] [pid 422:tid 140369117575992] mod_proxy_balancer.c(85):
[client redacted:62207] canonicalising URL
//redacted/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
[mpm_event:trace5] [pid 23:tid 140369131846472] event.c(2992): Spawning new
child: slot 2 active / total daemons: 3/3
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 504
(gen 3/slot 2) started
[core:notice] [pid 23:tid 140369131846472] AH00052: child pid 422 exit signal
Segmentation fault (11)
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 422
(gen 3/slot 0) exited

Backtrace from a similar crash (but not exactly the one from the logs) is
attached to this issue. It looks that, after bouncing between 2 code locations
in libpcre, the process goes to line 1612 and then the crash occurs. My
(uneducated) guess would be that this is an issue in libpcre itself and not a
bug in apache. However, I decided to create this ticket for visibility purposes
and to provide motivation for migrating to libpcre2 since libpcre is no longer
maintained (discussed in https://www.apachelounge.com/viewtopic.php?p=40962).


Disclaimer - I only investigated this issue, I'm not responsible for writing
this regex myself. I understand that it could be rewritten to be more optimal.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

--- Comment #2 from Krystian Nowak <Kr...@gmail.com> ---
(In reply to Szymon Żogała from comment #0)
> Created attachment 38254 [details]
> Crash backtrace
> 
> Apache worker process crashes with a segmentation fault when processing a
> request with path that is longer than 145 characters when virtual host has a
> redirect rule

This one also seems to crash only when (one of) MPM threaded mode(s) is in use
right? Looking at the trace it's in event MPM threaded mode and also uses
PCRE(1) and not PCRE2 yet - already present in 2.4.53 but by default I only saw
it to be in future Ubuntu packages.

And possibly it is not failing in MPM prefork mode?

Additionaly, possibly checking this pattern with pcretest (even matching exact
libpcre version used with your httpd) against the paths you were testing with
might not show problems - if so, it might mean a threading-related change
between 2.4.52 and 2.4.53 could be causing it really (even though segfault is
thrown from within libpcre)?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---


*** This bug has been marked as a duplicate of bug 66119 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

Szymon Żogała <sz...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |szymek.655@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

Krystian Nowak <Kr...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Krystian.Nowak@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66021

--- Comment #1 from Krystian Nowak <Kr...@gmail.com> ---
This one might be possibly connected with
https://bz.apache.org/bugzilla/show_bug.cgi?id=66119 - also since 2.4.53 and
PCRE regex connected segfault when URI exceeds certain length

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org