https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412015-12-15T20:22:39Zlighty labsLighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86502015-12-15T20:22:39Zstbuehler
<ul></ul><p>we seem to suffer from some memory corruption, but I couldn't find the origin so far. It seems to be related to POST requests (or other requests with request body).</p>
<p>I had it running in valgrind but didn't get anything so far (but also couldn't trigger the crash myself).</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86512015-12-16T06:38:49Zflynn
<ul></ul><p>OK.</p>
<p>Then we try to trigger the crash running with valgrind.</p>
<p>Is there anything special running lighttpd with valgrind except</p>
<p>./configure --with-valgrind ??</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86522015-12-16T06:52:42Zstbuehler
<ul></ul><p>--with-valgrind is not really necessary, more important is to compile with debug symbols ("-g"), and spawning with valgrind in "foreground" mode, i.e. something like <code>valgrind lighttpd -D -f /etc/lighttpd/lighttpd.conf</code> (i.e. either spawn manually in a screen/tmux terminal or use something that can handle "non-daemonized" services like systemd).</p>
<p>Also I'd like to warn you that valgrind makes lighttpd really really slow :)</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86542015-12-18T12:33:43Zflynn
<ul></ul><p>We could not reproduce the crash with valgrind, but we got some important log messages regarding the crash in libc_free:</p>
<pre>
==26229== Invalid free() / delete / delete[] / realloc()
==26229== at 0x4C2BDEC: free (vg_replace_malloc.c:473)
==26229== by 0x42310E: chunk_free (chunk.c:91)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229== Address 0xeb39250 is 0 bytes inside a block of size 96 free'd
==26229== at 0x4C2BDEC: free (vg_replace_malloc.c:473)
==26229== by 0x42310E: chunk_free (chunk.c:91)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229==
</pre>
<p>I think, the crash would happen here, but valgrind catches it.</p>
<p>Before this, we see alot of these messages:</p>
<pre>
==26229== Invalid write of size 8
==26229== at 0x4230B8: chunk_reset (chunk.c:80)
==26229== by 0x4230E2: chunk_free (chunk.c:86)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229== Address 0xeb392a8 is 88 bytes inside a block of size 96 free'd
==26229== at 0x4C2BDEC: free (vg_replace_malloc.c:473)
==26229== by 0x42310E: chunk_free (chunk.c:91)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229==
==26229== Invalid read of size 8
==26229== at 0x4230E7: chunk_free (chunk.c:88)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229== Address 0xeb39258 is 8 bytes inside a block of size 96 free'd
==26229== at 0x4C2BDEC: free (vg_replace_malloc.c:473)
==26229== by 0x42310E: chunk_free (chunk.c:91)
==26229== by 0x423230: chunkqueue_free (chunk.c:125)
==26229== by 0xC0A54A6: handler_ctx_free (mod_fastcgi.c:511)
==26229== by 0xC0A83CD: fcgi_connection_close (mod_fastcgi.c:1504)
==26229== by 0xC0AD680: fcgi_handle_fdevent (mod_fastcgi.c:3104)
==26229== by 0x40B894: main (server.c:1515)
==26229==
</pre>
<p>As far as we can see, the crash happens only, if non-ascii characters are (e.g. Umlaute) used in Header or Post Requests.<br />So maybe a length calculation problem of url-encoded buffers ...</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86552015-12-18T14:43:56Zstbuehler
<ul></ul><p>Thanks, that looks like very helpful data!</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86572015-12-18T22:06:57Zstbuehler
<ul><li><strong>File</strong> <a href="/attachments/1675">0001-chunk-fix-use-after-free-double-free-fixes-2700.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1675/0001-chunk-fix-use-after-free-double-free-fixes-2700.patch">0001-chunk-fix-use-after-free-double-free-fixes-2700.patch</a> added</li></ul><p>This is probably a regression introduced in r2976 (released in 1.4.36).</p>
<p>The following patch should fix it; I'd be happy to get some feedback on this.</p>
<pre>
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -172,6 +172,7 @@ static void chunkqueue_prepend_chunk(chunkqueue *cq, chunk *c) {
}
static void chunkqueue_append_chunk(chunkqueue *cq, chunk *c) {
+ c->next = NULL;
if (cq->last) {
cq->last->next = c;
}
</pre> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86582015-12-19T08:30:04Zstbuehler
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Fixed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset r3065.</p> Lighttpd - Bug #2700: Segfault with version 1.4.38https://redmine.lighttpd.net/issues/2700?journal_id=86592015-12-19T11:25:32Zflynn
<ul></ul><p>Seems to work, in valgrind the messages above do not appear on a small test.</p>
<p>I switch my productive server back to version 1.4.38 with this patch.</p>