Bug #2809
closedMemory corruption in yy_reduce (configparser.y), SIGSEGV
Description
Hello,
opening the attached sample config input file with lighttpd results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.
version:
commit b23065e54778dd187c77f1dd37041fb039f21dde
how to reproduce:
$ ./src/lighttpd -t -f <attached config file>
gdb:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000000004208ce in yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>)
at ./configparser.y:786
786 B->free(B);
(gdb) bt
#0 0x00000000004208ce in yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>)
at ./configparser.y:786
#1 configparser (yyp=0x161e580, yymajor=<optimized out>, yyminor=<optimized out>, ctx=<optimized out>)
at configparser.c:1795
#2 0x000000000041a34f in config_parse (srv=<optimized out>, context=<optimized out>, t=<optimized out>)
at configfile.c:1119
#3 0x0000000000419cdf in config_parse_file_stream (srv=0x161d010, context=0x7ffe9a9ac990,
filename=0x161e4d0) at configfile.c:1175
#4 0x000000000041bf97 in config_read (srv=<optimized out>, fn=<optimized out>) at configfile.c:1360
#5 0x000000000040c137 in server_main (argc=<optimized out>, argv=<optimized out>, srv=<optimized out>)
at server.c:883
#6 main (argc=4, argv=0x7ffe9a9ad4b8) at server.c:1851
valgrind:
3608 Memcheck, a memory error detector3608 Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
3608 Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
3608 Command: ./src/lighttpd -t -f findings/crashes/id:000000,sig:11,src:000000,op:ext_AO,pos:1682
3608
Undefined config variable: var.document
3608 Invalid read of size 8
3608 at 0x4208CE: yy_reduce (configparser.y:786)
3608 by 0x4208CE: configparser (configparser.c:1795)
3608 by 0x41A34E: config_parse (configfile.c:1119)
3608 by 0x419CDE: config_parse_file_stream (configfile.c:1175)
3608 by 0x41BF96: config_read (configfile.c:1360)
3608 by 0x40C136: server_main (server.c:883)
3608 by 0x40C136: main (server.c:1851)
3608 Address 0x20 is not stack'd, malloc'd or (recently) free'd
3608
3608
3608 Process terminating with default action of signal 11 (SIGSEGV): dumping core
3608 Access not within mapped region at address 0x20
3608 at 0x4208CE: yy_reduce (configparser.y:786)
3608 by 0x4208CE: configparser (configparser.c:1795)
3608 by 0x41A34E: config_parse (configfile.c:1119)
3608 by 0x419CDE: config_parse_file_stream (configfile.c:1175)
3608 by 0x41BF96: config_read (configfile.c:1360)
3608 by 0x40C136: server_main (server.c:883)
3608 by 0x40C136: main (server.c:1851)
3608 If you believe this happened as a result of a stack
3608 overflow in your program's main thread (unlikely but
3608 possible), you can try to increase the size of the
3608 main thread stack using the --main-stacksize= flag.
3608 The main thread stack size used in this run was 8388608.
3608
3608 HEAP SUMMARY:
3608 in use at exit: 9,736 bytes in 137 blocks
3608 total heap usage: 201 allocs, 64 frees, 12,544 bytes allocated
3608
3608 LEAK SUMMARY:
3608 definitely lost: 0 bytes in 0 blocks
3608 indirectly lost: 0 bytes in 0 blocks
3608 possibly lost: 0 bytes in 0 blocks
3608 still reachable: 9,736 bytes in 137 blocks
3608 suppressed: 0 bytes in 0 blocks
3608 Rerun with --leak-check=full to see details of leaked memory
3608
3608 For counts of detected and suppressed errors, rerun with: -v
3608 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 3608 segmentation fault valgrind ./src/lighttpd -t -f
Cheers,
Stephan Zeisberg
Files
Updated by gstrauss almost 7 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.46
Thanks, stze.
stbuehler proposed a patch. I am testing it, too.
Updated by stbuehler almost 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 97526207920ed5d18bcabb8af66a058790ee06a8.
Also available in: Atom