https://bz.apache.org/bugzilla/show_bug.cgi?id=68278
Bug ID: 68278
Summary: memcpy from NULL in apr_brigade_flatten when using
mod_proxy_fcgi
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_fcgi
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
glibc declares the dest and src parameters to memcpy as nonnull using a GCC
extension attribute:
(from glibc string.h:43)
> extern void *memcpy (void *__restrict __dest, const void *__restrict __src,
> size_t __n) __THROW __nonnull ((1, 2));
Passing NULL as a nonnull argument is bad because the compiler will optimize
away checks for NULL on arguments declared nonnull, which may have unexpected
consequences.
It's also undefined behavior. See
https://stackoverflow.com/questions/5243012/is-it-guaranteed-to-be-safe-to-perform-memcpy0-0-0
for discussion of this issue.
The following are steps to reproduce the bug. I have verified that this bug is
present in both a fresh build of trunk, as well as the `apache2` package from
the Debian Bookworm repositories. These steps assume that you're using x86_64.
0. Acquire a Debian Bookworm system:
> docker run --rm -it debian:bookworm-slim bash
1. Make a directory in which to build httpd:
> mkdir /app && cd /app
2. Update, install dependencies, then check out httpd and apr:
> apt -y update && apt -y upgrade && apt -y install ncat gdb python3 autoconf
> libtool libtool-bin libexpat1-dev libpcre3-dev clang subversion make php-fpm
> && svn co "https://svn.apache.org/repos/asf/httpd/httpd/trunk"; httpd && cd
> httpd/srclib && svn co "https://svn.apache.org/repos/asf/apr/apr/trunk"; apr
3. Configure and build httpd and apr:
> cd /app/httpd && ./buildconf && ./configure && make -j$(nproc) CFLAGS='-g' &&
> make install
4. Change the php-fpm config to listen on 127.0.0.1:9000 instead of a UDS.
> sed -i 's/^listen = \/run\/php\/.*/listen = 127.0.0.1:9000/'
> /etc/php/8.2/fpm/pool.d/www.conf
5. Copy the following into your filesystem as `/var/www/index.php`:
> <?php
> echo "hello world";
> ?>
6. Copy the following into your filesystem as
`/usr/local/apache2/conf/httpd.conf`:
> ServerRoot "/usr/local/apache2"
> Listen 80
> User daemon
> Group daemon
> LoadModule authz_core_module modules/mod_authz_core.so
> LoadModule unixd_module modules/mod_unixd.so
> LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
> ServerName apache
> <VirtualHost *:80>
> DocumentRoot /var/www
> SetHandler "proxy:fcgi://127.0.0.1:9000/"
> RewriteEngine On
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule ^(.*)$ /index.php [L,QSA]
> </VirtualHost>
7. Start php-fpm:
> php-fpm8.2
8. Start httpd under gdb, set the appropriate breakpoints, and print out the
second (src) argument to memcpy when the second breakpoint hits:
> gdb -ex "b apr_brigade_flatten" -ex 'r -X' -ex 'b memcpy' -ex 'c' -ex 'print
> $rsi' /usr/local/apache2/bin/httpd
9. From another terminal, send a request to the server:
> printf 'GET / HTTP/1.1\r\nHost: whatever\r\nConnection: close\r\n\r\n' | ncat
> localhost 80
10. Observe that second argument to memcpy is null in gdb:
> Thread 3 "httpd" hit Breakpoint 1, apr_brigade_flatten
> (bb=bb@entry=0x7feeac00f0a0,
> c=c@entry=0x7feeb92eba10 "", len=len@entry=0x7feeb92eb9b8) at
> buckets/apr_brigade.c:258
> 258 for (b = APR_BRIGADE_FIRST(bb);
> Breakpoint 2 at 0x7feeb9c97cc0: memcpy. (4 locations)
> Continuing.
>
> Thread 3 "httpd" hit Breakpoint 2.3, __memcpy_avx_unaligned_erms ()
> at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:264
> 264 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or
> directory.
> $1 = 0
This bug was found with UBSan.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
