Actions
Bug #3069
closedIllegal Instruction through sending Malformed Digest Authentication Data
Status:
Invalid
Priority:
Low
Category:
mod_auth
Target version:
-
ASK QUESTIONS IN Forums:
No
Description
I am using 32bit lighttpd 1.4.59 on Ubuntu 20.04.
Here is the http request that triggers the illegal instruction.
GET /auth2/index.html HTTP/1.0
Authorization: Digest username="lemon", realm="Authorized", nonce=b602219d1:651fb02517d9c54df776c991042897a8", uri="/auth2/index.html", algorithm=MD5, response="7a8e716336ba7d066afe90d266fbce99", qop=auth, nc=00000002, cnonce="fada60ebb2a97c46"
The full stack trace for this is
0xf35c4ce9 in mod_auth_check_digest (r=0xee603880, p_d=0xf4a03a90, require=0xf46009c0, backend=0xf6f460 <http_auth_backends>) at mod_auth.c:1389
1389 ts = (ts << 4) + hex2int(nonce_uns[i]);
(gdb) bt full
#0 0xf35c4ce9 in mod_auth_check_digest (r=0xee603880, p_d=0xf4a03a90, require=0xf46009c0, backend=0xf6f460 <http_auth_backends>) at mod_auth.c:1389
ts = 190849561
nonce_uns = 0xefa03c6c "b602219d1:651fb02517d9c54df776c991042897a8\""
cur_ts = 0
vb = 0xf4a060a8
username = 0xefa03c4a "lemon"
realm = 0xefa03c59 "Authorized"
nonce = 0xefa03c6c "b602219d1:651fb02517d9c54df776c991042897a8\""
uri = 0xefa03c9e "/auth2/index.html"
algorithm = 0xefa03cbc "MD5"
qop = 0xefa03cf2 "auth"
cnonce = 0xefa03d0d "fada60ebb2a97c46"
nc = 0xefa03cfb "00000002"
respons = 0xefa03ccb "7a8e716336ba7d066afe90d266fbce99"
e = 0xefa03d1d ""
c = 0xefa03d1e ""
i = 7
b = 0xf5604f10
ai = {dalgo = 2, dlen = 16, username = 0xefa03c4a "lemon", ulen = 5, realm = 0xefa03c59 "Authorized", rlen = 10,
digest = "徻\367\377mS\000\370\305\377\377\350ۖ\000\344\306\377\377\004\000\000\000\000\000\000\000\000\000\000"}
rdigest = "z\216qc6\272}\006j\376\220\322f\373Ι\344\306\377\377&\272\375\367\201G\361\367\034\327A"
dkv = {{key = 0xf35b6ec0 <str> "username=", key_len = 9, ptr = 0xffffc510}, {key = 0xf35b6f00 <str> "realm=", key_len = 6, ptr = 0xffffc520}, {
key = 0xf35b6f40 <str> "nonce=", key_len = 6, ptr = 0xffffc530}, {key = 0xf35b6f80 <str> "uri=", key_len = 4, ptr = 0xffffc540}, {
key = 0xf35b6fc0 <str> "algorithm=", key_len = 10, ptr = 0xffffc550}, {key = 0xf35b7000 <str> "qop=", key_len = 4, ptr = 0xffffc560}, {
key = 0xf35b7040 <str> "cnonce=", key_len = 7, ptr = 0xffffc570}, {key = 0xf35b7080 <str> "nc=", key_len = 3, ptr = 0xffffc580}, {
key = 0xf35b70c0 <str> "response=", key_len = 9, ptr = 0xffffc590}, {key = 0x0, key_len = 0, ptr = 0x0}}
send_nextnonce = -165604320
rc = HANDLER_UNSET
p = 0xaa8e5000
sptree = 0x0
ae = 0x2
ndx = -165604320
m = 0xffffc848 "\a"
#1 0xf35de3d2 in mod_auth_uri_handler (r=0xee603880, p_d=0xf4a03a90) at mod_auth.c:678
scheme = 0xf6f3ec <http_auth_schemes+12>
p = 0xf4a03a90
dauth = 0xf4e001c0
#2 0x00800b0d in plugins_call_fn_req_data (r=0xee603880, e=0) at plugin.c:276
plugin_slots = 0xf2003980
offset = 40
plfd = 0xf20039a8
rc = HANDLER_GO_ON
#3 0x0080043d in plugins_call_handle_uri_clean (r=0xee603880) at plugin.c:326
No locals.
#4 0x0057a51c in http_response_prepare (r=0xee603880) at response.c:433
--Type <RET> for more, q to quit, c to continue without paging--c
rc = HANDLER_GO_ON
#5 0x00576359 in http_response_handler (r=0xee603880) at response.c:1025
p = 0x0
rc = 1
#6 0x005adc26 in connection_state_machine_loop (r=0xee603880, con=0xee603880) at connections.c:1097
ostate = CON_STATE_HANDLE_REQUEST
#7 0x005ac253 in connection_state_machine_h1 (r=0xee603880, con=0xee603880) at connections.c:1418
log_state_handling = 0
#8 0x005a8143 in connection_state_machine (con=0xee603880) at connections.c:1436
r = 0xee603880
#9 0x0062452d in network_server_handle_fdevent (context=0xf4203030, revents=1) at network.c:66
srv_socket = 0xf4203030
srv = 0xf5403c40
con = 0xee603880
loops = 100
#10 0x00839fef in fdevent_linux_sysepoll_poll (ev=0xee603c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
fdn = 0xf4e00190
revents = 1
i = 0
n = 1
#11 0x0076abdf in fdevent_poll (ev=0xee603c80, timeout_ms=1000) at fdevent.c:436
n = 1
#12 0x0055e0c3 in server_main_loop (srv=0xf5403c40) at server.c:1902
min_ts = 1613243185
joblist = 0xf5403c64
last_active_ts = 1613243185
#13 0x0054b26e in main (argc=6, argv=0xffffcd04) at server.c:2032
srv = 0xf5403c40
rc = 1
(gdb)
From reading the stack trace, there are illegal characters in digest which probably causes this illegal instruction.
Updated by axe34 almost 4 years ago
I forgot to attach my configuration file. Here it is.
$HTTP["url"] =~ "^/auth2/" {
auth.require = ( "/auth2" =>
(
"method" => "digest",
"realm" => "Authorized",
"require" => "user=lemon"
)
)
auth.backend = "htdigest",
auth.backend.htdigest.userfile = "/home/foo/digest"
}
Updated by gstrauss almost 4 years ago
- Status changed from New to Invalid
- Priority changed from Normal to Low
- Target version deleted (
1.4.x)
As in #3067, you are probably still compiling with -fsanitize=address,undefined
It is extremely irresponsible not to include such information in your report.
No, your request did not trigger an illegal instruction in normal usage. The illegal instruction is called by the -fsanitize instrumentation.
Have you read the documentation about -fsanitize so that you get error trace instead of a forced crash via illegal instruction? Have you tried to understand what the error is and what the impact might be?
Please re-read my last post in #3067#note-31
Actions
Also available in: Atom