https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412007-04-13T03:05:40Zlighty labsLighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26572007-04-13T03:05:40Zdarix
<ul></ul><p>can you try to reproduce it with <a class="external" href="http://zen.sh.nu/~darix/lighttpd-1.4.x.r1745.tar.gz">http://zen.sh.nu/~darix/lighttpd-1.4.x.r1745.tar.gz</a>.<br />i cant reproduce it here.</p>
<p>do you have follow-symlinks enabled or disabled?<br />in my setup i had php running via external spawning.</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26582007-04-13T10:16:28Zscroffer52
<ul></ul><p>The problem exists too in r1745, compiled with identical options.</p>
<p>But... I've now traced this by simplifying my configuration:</p>
<p>The offending lines in my configuration are:</p>
<pre>
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ("text/plain", "text/html")
compress.max-filesize = 1024000
</pre>
<p>That compression directory isn't writable by the su-execed user; but I don't think that should matter (as mod_compress doesn't touch PHP output anyway, and as mod_compress is running as the correct user). In any case, changing it to a 777-ed directory doesn't fix the segfault.</p>
<p>Without those lines, no segfault. With those lines, a segfault happens.</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26592007-04-13T10:16:52Zscroffer52
<ul></ul><p>Sorry - forgot to mention that I'm not using follow-symlinks anywhere, so it must be the default (on?).</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26602007-04-13T10:32:12Zscroffer52
<ul></ul><p>Here's what I got from valgrind:</p>
<pre>
==3501== Invalid read of size 4
==3501== at 0x44F69DE: (within /usr/lib/lighttpd/mod_compress.so)
==3501== by 0x805F4D4: plugins_call_handle_subrequest_start (in /usr/sbin/lighttpd)
==3501== by 0x804FDCA: http_response_prepare (in /usr/sbin/lighttpd)
==3501== by 0x8052CB4: connection_state_machine (in /usr/sbin/lighttpd)
==3501== by 0x8053C9B: network_server_handle_fdevent (in /usr/sbin/lighttpd)
==3501== by 0x804E4CE: main (in /usr/sbin/lighttpd)
==3501== Address 0x38 is not stack'd, malloc'd or (recently) free'd
==3501==
==3501== Process terminating with default action of signal 11 (SIGSEGV)
==3501== Access not within mapped region at address 0x38
==3501== at 0x44F69DE: (within /usr/lib/lighttpd/mod_compress.so)
==3501== by 0x805F4D4: plugins_call_handle_subrequest_start (in /usr/sbin/lighttpd)
==3501== by 0x804FDCA: http_response_prepare (in /usr/sbin/lighttpd)
==3501== by 0x8052CB4: connection_state_machine (in /usr/sbin/lighttpd)
==3501== by 0x8053C9B: network_server_handle_fdevent (in /usr/sbin/lighttpd)
==3501== by 0x804E4CE: main (in /usr/sbin/lighttpd)
--3501-- discard syms at 0x451C000-0x4527000 in /lib/libnss_files-2.3.4.so due to munmap()
</pre> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26612007-04-13T12:21:47Zjan
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li></ul> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26622007-05-21T15:23:02Zscroffer52
<ul></ul><p>Do the lighttpd developers count this as a low-priority bug?</p>
<p>I was expecting a consistently remotely exploitable crash to be the kind of thing that was a level 1 priority!</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26632008-04-24T21:46:59Zstbuehler
<ul></ul><p>I couldn't reproduce it either; if open (in stat_cache_get_entry) fails with EACCES, lighty returns 403 Forbidden and does not start mod_compress.</p>
<p>If you still have trouble with this in the current version, please provide a backtracke of a debug build (so we have the line number in which the segfault happens).</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=26642008-08-01T19:34:35Zstbuehler
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Fixed</i></li><li><strong>Resolution</strong> set to <i>worksforme</i></li></ul><p>Missing feedback.</p> Lighttpd - Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case)https://redmine.lighttpd.net/issues/1116?journal_id=49372008-10-10T19:10:29Zstbuehler
<ul><li><strong>Status</strong> changed from <i>Fixed</i> to <i>Missing Feedback</i></li></ul>