Project

General

Profile

Bug #3065

closed

Segmentation Fault due to Empty String on Mod Magnet

Added by axe34 22 days ago. Updated 21 days ago.

Status:
Fixed
Priority:
Normal
Category:
mod_magnet
Target version:
ASK QUESTIONS IN Forums:
No

Description

Here is my configuration file.

server.modules += ("mod_magnet","mod_accesslog")
server.port = 3000
server.document-root = "/var/www/" 
etag.use-inode = "disable" 
etag.use-mtime = "disable" 
etag.use-size = "disable" 
static-file.etags = "disable" 
mimetype.assign = (
  ".html" => "text/html", 
)
server.max-fds = 2048
magnet.attract-physical-path-to = ( "/home/****/magnet.lua"  )

Here is my lua script
print(lighty.env["uri.query"])

lighty.content = { "<pre>", { filename = lighty.env["uri.query"] }, "</pre>" }
  lighty.header["Content-Type"] = "text/html" 

  return 200

It basically takes the uri query and passes it to the filename.
If you pass an empty string, it causes a segmentation fault.
Here is the stack trace
Thread 1 "lighttpd" received signal SIGSEGV, Segmentation fault.
__vfprintf_internal (s=s@entry=0x7fffff7ff580, format=format@entry=0x7ffff7c391d6 "%lld", ap=ap@entry=0x7fffff7ff700, mode_flags=mode_flags@entry=2) at vfprintf-internal.c:1365
1365    vfprintf-internal.c: No such file or directory.
(gdb) bt
#0  __vfprintf_internal (s=s@entry=0x7fffff7ff580, format=format@entry=0x7ffff7c391d6 "%lld", ap=ap@entry=0x7fffff7ff700, mode_flags=mode_flags@entry=2)
    at vfprintf-internal.c:1365
#1  0x00007ffff7d6f11a in __vsnprintf_internal (string=0x7fffff7ff7e0 "", maxlen=<optimized out>, format=0x7ffff7c391d6 "%lld", args=args@entry=0x7fffff7ff700, mode_flags=2)
    at vsnprintf.c:114
#2  0x00007ffff7e10fd1 in ___snprintf_chk (s=<optimized out>, maxlen=<optimized out>, flag=<optimized out>, slen=<optimized out>, format=<optimized out>) at snprintf_chk.c:38
#3  0x00007ffff7c1f89b in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#4  0x00007ffff7c1facd in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#5  0x00007ffff7c15831 in lua_pushvfstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#6  0x00007ffff7c29b74 in luaL_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#7  0x00007ffff7c29c8d in luaL_argerror () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#8  0x00007ffff7c2ae03 in luaL_checklstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#9  0x00007ffff7c524cf in magnet_checkconstbuffer (L=0x7ffff7c391d6, idx=1) at mod_magnet.c:273
#10 0x00007ffff7c50768 in magnet_atpanic (L=0x362f38) at mod_magnet.c:366
#11 0x00007ffff7c19b15 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#12 0x00007ffff7c195c0 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#13 0x00007ffff7c167ed in lua_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#14 0x00007ffff7c29b89 in luaL_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#15 0x00007ffff7c29c8d in luaL_argerror () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#16 0x00007ffff7c2ae03 in luaL_checklstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#17 0x00007ffff7c524cf in magnet_checkconstbuffer (L=0x7ffff7c391d6, idx=1) at mod_magnet.c:273
#18 0x00007ffff7c50768 in magnet_atpanic (L=0x362f38) at mod_magnet.c:366
#19 0x00007ffff7c19b15 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#20 0x00007ffff7c195c0 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#21 0x00007ffff7c167ed in lua_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#22 0x00007ffff7c29b89 in luaL_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#23 0x00007ffff7c29c8d in luaL_argerror () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#24 0x00007ffff7c2ae03 in luaL_checklstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#25 0x00007ffff7c524cf in magnet_checkconstbuffer (L=0x7ffff7c391d6, idx=1) at mod_magnet.c:273
#26 0x00007ffff7c50768 in magnet_atpanic (L=0x362f38) at mod_magnet.c:366
#27 0x00007ffff7c19b15 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#28 0x00007ffff7c195c0 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#29 0x00007ffff7c167ed in lua_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#30 0x00007ffff7c29b89 in luaL_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#31 0x00007ffff7c29c8d in luaL_argerror () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#32 0x00007ffff7c2ae03 in luaL_checklstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#33 0x00007ffff7c524cf in magnet_checkconstbuffer (L=0x7ffff7c391d6, idx=1) at mod_magnet.c:273
#34 0x00007ffff7c50768 in magnet_atpanic (L=0x362f38) at mod_magnet.c:366
#35 0x00007ffff7c19b15 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#36 0x00007ffff7c195c0 in ?? () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#37 0x00007ffff7c167ed in lua_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#38 0x00007ffff7c29b89 in luaL_error () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#39 0x00007ffff7c29c8d in luaL_argerror () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#40 0x00007ffff7c2ae03 in luaL_checklstring () from /lib/x86_64-linux-gnu/liblua5.3.so.0
#41 0x00007ffff7c524cf in magnet_checkconstbuffer (L=0x7ffff7c391d6, idx=1) at mod_magnet.c:273
#42 0x00007ffff7c50768 in magnet_atpanic (L=0x362f38) at mod_magnet.c:366

#1

Updated by gstrauss 22 days ago

Similar to #3064

filename = lighty.env["uri.query"]

If you are running lua code inside the lighttpd server, then you can do anything and everything that lua allows you to do, as the same user, running in the same process as the lighttpd web server. You can read all the files that the lighttpd server can read and can shell out and can execute arbitrary commands, including kill.

If you are passing user-supplied data without validating it, then you have failed to validate user-supplied data.

If you should not have admin privileges over the lighttpd server, then you should not have privileges to run lua code inside the lighttpd server.

#2

Updated by gstrauss 22 days ago

I do appreciate that you're looking for ways to break lighttpd, and, within reason, I will try to provide an explanation and may add patches to lighttpd to more gracefully handle some of the errors or bugs.

The following patch will prevent the bad stack strace looping in magnet_atpanic(), but does not address the original cause of the panic. I'll look into that tomorrow.

--- a/src/mod_magnet.c
+++ b/src/mod_magnet.c
@@ -363,9 +365,9 @@ static int magnet_stat(lua_State *L) {

 static int magnet_atpanic(lua_State *L) {
-       const_buffer cb = magnet_checkconstbuffer(L, 1);
        request_st * const r = magnet_get_request(L);
-       log_error(r->conf.errh, __FILE__, __LINE__, "(lua-atpanic) %s", cb.ptr);
+       log_error(r->conf.errh, __FILE__, __LINE__, "(lua-atpanic) %s",
+                 lua_isstring(L, 1) ? lua_tostring(L, 1) : "");
        longjmp(exceptionjmp, 1);
 }

#3

Updated by gstrauss 21 days ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.60
#4

Updated by gstrauss 21 days ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom