Project

General

Profile

Actions
Copy link

Bug #3175

closed

configuration parse bug

Added by dhjeong2 over 1 year ago. Updated over 1 year ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
1.4.68
ASK QUESTIONS IN Forums:
Yes

Description

Summary

- lighttpd 1.4.67 (latest)

- Incorrect configuration in the configuration file will cause access to the wrong memory.

- Null dereference

Description

Specifies the option (-f) to read the configuration file when running the lighttpd daemon.
If you pass a file with the wrong contents as an argument here, you will have problems because lighttpd will try to reference the wrong memory.

Undefined config variable: var.HTTP
AddressSanitizer:DEADLYSIGNAL =================================================================
3960396ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55f0019217f8 bp 0x0c360000001d sp 0x7fff06726270 T0)
3960396The signal is caused by a READ memory access.
3960396Hint: address points to the zero page.
#0 0x55f0019217f7 in yy_reduce configparser.y:740
#1 0x55f0019217f7 in configparser configparser.c:1812
#2 0x55f0018fed53 in config_parse /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2142
#3 0x55f0019026ec in config_parse_file_stream /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2216
#4 0x55f00190ba4c in config_read /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2486
#5 0x55f0018cd272 in server_main_setup /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:1116
#6 0x55f0018d7322 in main /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:2082
#7 0x7f99af013082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55f0019611cd in _start (/home/dhjeong/fuzzing/lighttpd-fuzz-only/lighttpd+0xc41cd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV configparser.y:740 in yy_reduce
3960396ABORTING

Proof of Concept(POC)

To reproduce it, you can use the file I attached to test it as follows.
lighttpd -f crash1.conf
lighttpd -f crash2.conf

Files

Download all files
crash1.conf (2.92 KB) crash1.conf dhjeong2, 2022-11-21 07:35
crash2.conf (2.92 KB) crash2.conf dhjeong2, 2022-11-21 07:35
Actions
Copy link
 #1

Updated by gstrauss over 1 year ago

  • Subject changed from lighttpd 1.4.67 configuration parse bug to configuration parse bug

If you pass a file with the wrong contents as an argument here, you will have problems [...]

If the configuration is invalid, then the configuration is invalid, and the problem is that the configuration is invalid.
lighttpd rejects invalid configurations.

In the case you reported, lighttpd crashes while parsing an invalid configuration.
Instead, lighttpd should report the invalid configuration and then should exit non-zero.

A minimal config which triggers the configuration parser error:
$HTTP["url"] =~ HTTP { }

Actions
Copy link
 #2

Updated by gstrauss over 1 year ago 

--- a/src/configparser.y
+++ b/src/configparser.y
@@ -737,7 +737,7 @@ context ::= DOLLAR SRVVARNAME(B) LBRACKET stringop(C) RBRACKET cond(E) expressio
   B = NULL;
   buffer_free(C);
   C = NULL;
-  D->fn->free(D);
+  if (D) D->fn->free(D);
   D = NULL;
 }
Actions
Copy link
 #3

Updated by gstrauss over 1 year ago

  • Category set to core
  • Status changed from New to Patch Pending
  • Target version changed from 1.4.xx to 1.4.68
Actions
Copy link
 #4

Updated by gstrauss over 1 year ago

  • Status changed from Patch Pending to Fixed
Actions
Copy link

Also available in: Atom