You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/04/20 13:05:23 UTC
[Bug 66021] New: Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
Bug ID: 66021
Summary: Segmentation fault in libcpre when processing
RedirectMatch rule for a long request path
Product: Apache httpd-2
Version: 2.4.53
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_alias
Assignee: bugs@httpd.apache.org
Reporter: szymek.655@gmail.com
Target Milestone: ---
Created attachment 38254
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38254&action=edit
Crash backtrace
Apache worker process crashes with a segmentation fault when processing a
request with path that is longer than 145 characters when virtual host has a
redirect rule
RedirectMatch 301 "^((?!/[a-z][a-z]_[A-Z][A-Z]).)*/p/[0-9]+$" "/en_EN$0"
For example:
There is no crash for 138 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/suffix
There is a crash for 148 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
Relevant logs from the crash:
[proxy_balancer:trace1] [pid 422:tid 140369117575992] mod_proxy_balancer.c(85):
[client redacted:62207] canonicalising URL
//redacted/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
[mpm_event:trace5] [pid 23:tid 140369131846472] event.c(2992): Spawning new
child: slot 2 active / total daemons: 3/3
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 504
(gen 3/slot 2) started
[core:notice] [pid 23:tid 140369131846472] AH00052: child pid 422 exit signal
Segmentation fault (11)
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 422
(gen 3/slot 0) exited
Backtrace from a similar crash (but not exactly the one from the logs) is
attached to this issue. It looks that, after bouncing between 2 code locations
in libpcre, the process goes to line 1612 and then the crash occurs. My
(uneducated) guess would be that this is an issue in libpcre itself and not a
bug in apache. However, I decided to create this ticket for visibility purposes
and to provide motivation for migrating to libpcre2 since libpcre is no longer
maintained (discussed in https://www.apachelounge.com/viewtopic.php?p=40962).
Disclaimer - I only investigated this issue, I'm not responsible for writing
this regex myself. I understand that it could be rewritten to be more optimal.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
--- Comment #2 from Krystian Nowak <Kr...@gmail.com> ---
(In reply to Szymon Żogała from comment #0)
> Created attachment 38254 [details]
> Crash backtrace
>
> Apache worker process crashes with a segmentation fault when processing a
> request with path that is longer than 145 characters when virtual host has a
> redirect rule
This one also seems to crash only when (one of) MPM threaded mode(s) is in use
right? Looking at the trace it's in event MPM threaded mode and also uses
PCRE(1) and not PCRE2 yet - already present in 2.4.53 but by default I only saw
it to be in future Ubuntu packages.
And possibly it is not failing in MPM prefork mode?
Additionaly, possibly checking this pattern with pcretest (even matching exact
libpcre version used with your httpd) against the paths you were testing with
might not show problems - if so, it might mean a threading-related change
between 2.4.52 and 2.4.53 could be causing it really (even though segfault is
thrown from within libpcre)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED
--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
*** This bug has been marked as a duplicate of bug 66119 ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
Szymon Żogała <sz...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |szymek.655@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
Krystian Nowak <Kr...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Krystian.Nowak@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 66021] Segmentation fault in libcpre when processing RedirectMatch rule for a long request path
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
--- Comment #1 from Krystian Nowak <Kr...@gmail.com> ---
This one might be possibly connected with
https://bz.apache.org/bugzilla/show_bug.cgi?id=66119 - also since 2.4.53 and
PCRE regex connected segfault when URI exceeds certain length
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org