Bug #3175
closedconfiguration parse bug
Description
Summary
- lighttpd 1.4.67 (latest)
- Incorrect configuration in the configuration file will cause access to the wrong memory.
- Null dereference
Description
Specifies the option (-f) to read the configuration file when running the lighttpd daemon.
If you pass a file with the wrong contents as an argument here, you will have problems because lighttpd will try to reference the wrong memory.
Undefined config variable: var.HTTP
AddressSanitizer:DEADLYSIGNAL
=================================================================
3960396ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55f0019217f8 bp 0x0c360000001d sp 0x7fff06726270 T0)
3960396The signal is caused by a READ memory access.
3960396Hint: address points to the zero page.
#0 0x55f0019217f7 in yy_reduce configparser.y:740
#1 0x55f0019217f7 in configparser configparser.c:1812
#2 0x55f0018fed53 in config_parse /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2142
#3 0x55f0019026ec in config_parse_file_stream /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2216
#4 0x55f00190ba4c in config_read /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2486
#5 0x55f0018cd272 in server_main_setup /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:1116
#6 0x55f0018d7322 in main /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:2082
#7 0x7f99af013082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55f0019611cd in _start (/home/dhjeong/fuzzing/lighttpd-fuzz-only/lighttpd+0xc41cd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV configparser.y:740 in yy_reduce
3960396ABORTING
Proof of Concept(POC)
To reproduce it, you can use the file I attached to test it as follows.
lighttpd -f crash1.conf
lighttpd -f crash2.conf
Files
Updated by gstrauss about 2 years ago
- Subject changed from lighttpd 1.4.67 configuration parse bug to configuration parse bug
If you pass a file with the wrong contents as an argument here, you will have problems [...]
If the configuration is invalid, then the configuration is invalid, and the problem is that the configuration is invalid.
lighttpd rejects invalid configurations.
In the case you reported, lighttpd crashes while parsing an invalid configuration.
Instead, lighttpd should report the invalid configuration and then should exit non-zero.
A minimal config which triggers the configuration parser error:$HTTP["url"] =~ HTTP { }
Updated by gstrauss about 2 years ago
--- a/src/configparser.y +++ b/src/configparser.y @@ -737,7 +737,7 @@ context ::= DOLLAR SRVVARNAME(B) LBRACKET stringop(C) RBRACKET cond(E) expressio B = NULL; buffer_free(C); C = NULL; - D->fn->free(D); + if (D) D->fn->free(D); D = NULL; }
Updated by gstrauss about 2 years ago
- Category set to core
- Status changed from New to Patch Pending
- Target version changed from 1.4.xx to 1.4.68
Updated by gstrauss about 2 years ago
- Status changed from Patch Pending to Fixed
Applied in changeset 3c92c959902c50f8ea6fa97d615a78e3ad60616c.
Also available in: Atom