FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 01-19-2009, 02:12 PM
Stephane Chazelas
 
Default libapache2-mod-auth-mysql: SEGV in mysql_check_user_password()

Package: libapache2-mod-auth-mysql
Version: 4.3.9-4
Severity: important


The bug occurs on x86_64 in mysql_check_user_password() when the
APR "pool" for apr_pstrcat() is on a 64bit address (see source
code of mysql_check_user_password() for reference)

Breakpoint 1, mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1316
1316 char *auth_table = "mysql_auth", *auth_user_field = "username",
#0 mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1316
#1 0x00002b655045256b in mysql_authenticate_basic_user (r=0x2b6556f610a8) at mod_auth_mysql.c:1533
#2 0x00000000004331b2 in ap_run_check_user_id ()
#3 0x0000000000435144 in ap_process_request_internal ()
#4 0x0000000000435950 in ap_sub_req_method_uri ()
#5 0x00002b65524ed4b8 in dav_svn_authz_read () from /usr/lib/apache2/modules/mod_dav_svn.so
#6 0x00002b6552713ec3 in ?? () from /usr/lib/libsvn_repos-1.so.1
#7 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1
#8 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#9 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1
#10 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#11 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#12 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#13 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#14 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#15 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#16 0x00002b6552714cb1 in svn_repos_finish_report () from /usr/lib/libsvn_repos-1.so.1
#17 0x00002b65524ee2c9 in dav_svn__update_report () from /usr/lib/apache2/modules/mod_dav_svn.so
#18 0x00002b65524f0e5e in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#19 0x00002b6551ebe31a in ?? () from /usr/lib/apache2/modules/mod_dav.so
#20 0x0000000000437c5a in ap_run_handler ()
#21 0x000000000043b00c in ap_invoke_handler ()
#22 0x0000000000447508 in ap_process_request ()
#23 0x000000000044494c in ?? ()
#24 0x000000000043ec32 in ap_run_process_connection ()
#25 0x000000000044b39c in ?? ()
#26 0x000000000044b654 in ?? ()
#27 0x000000000044b6f7 in ?? ()
#28 0x000000000044c1bf in ap_mpm_run ()
#29 0x0000000000425aa1 in main ()
(gdb)
Continuing.

Breakpoint 3, mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1345
1345 if (!query) {
$13 = 0x56f62d78 <Address 0x56f62d78 out of bounds>
(gdb) n
1351 if ((rv = safe_mysql_query(r, query, sec))) {
(gdb)

Program received signal SIGSEGV, Segmentation fault.
0x00002b654dda8b50 in strlen () from /lib/libc.so.6

(sorry I no longer have the bt on the failing intruction)

apr_pstrcat returns a 64bit address (r=0x2b6556f62d78), but it
gets truncated in "query" into 0x56f62d78. Looking at the
disassembly on mysql_check_user_password(), there's a ctlq
instruction after the call to PSTRCAT(). That is because the
#include <apr_strings.h> is missing, so that mod_auth_mysql
thinks that function (apr_pstrcat) returns an integer instead of
a pointer hence the truncation.

Actually, gcc gives a warning when compiling that code which
would have helped find the problem.

It seems the problem is still there in newer versions of ubuntu.

The problem only appears when the address returned by PSTRCAT()
is 64bits.

The simple fix:

--- mod_auth_mysql.c~ 2009-01-19 14:57:14.717958623 +0000
+++ mod_auth_mysql.c 2009-01-19 14:54:00.947332133 +0000
@@ -49,6 +49,7 @@
#ifdef APACHE2
#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
#include <apr_general.h>
+#include <apr_strings.h>
#include <apr_md5.h>
#include <apr_sha1.h>
#else

-- System Information:
Debian Release: lenny/sid
APT prefers gutsy-updates
APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500, 'gutsy')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-14-server (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-auth-mysql depends on:
ii apache2.2-common 2.2.4-3ubuntu0.1 Next generation, scalable, extenda
ii libc6 2.6.1-1ubuntu10 GNU C Library: Shared libraries
ii libmysqlclient15off 5.0.45-1ubuntu3 MySQL database client library

libapache2-mod-auth-mysql recommends no packages.

-- no debconf information

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-23-2009, 02:19 PM
Charlie Kravetz
 
Default libapache2-mod-auth-mysql: SEGV in mysql_check_user_password()

On Mon, 19 Jan 2009 15:12:26 +0000
Stephane Chazelas <stephane.chazelas@seebyte.com> wrote:

> Package: libapache2-mod-auth-mysql
> Version: 4.3.9-4
> Severity: important
>
>
> The bug occurs on x86_64 in mysql_check_user_password() when the
> APR "pool" for apr_pstrcat() is on a 64bit address (see source
> code of mysql_check_user_password() for reference)
>
> Breakpoint 1, mysql_check_user_password (r=0x2b6556f610a8,
> user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******",
> sec=0x844088) at mod_auth_mysql.c:1316 1316 char
> *auth_table = "mysql_auth", *auth_user_field = "username", #0
> mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50
> "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at
> mod_auth_mysql.c:1316 #1 0x00002b655045256b in
> mysql_authenticate_basic_user (r=0x2b6556f610a8) at
> mod_auth_mysql.c:1533 #2 0x00000000004331b2 in ap_run_check_user_id
> () #3 0x0000000000435144 in ap_process_request_internal () #4
> 0x0000000000435950 in ap_sub_req_method_uri () #5 0x00002b65524ed4b8
> in dav_svn_authz_read () from /usr/lib/apache2/modules/mod_dav_svn.so
> #6 0x00002b6552713ec3 in ?? () from /usr/lib/libsvn_repos-1.so.1 #7
> 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1 #8
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #9
> 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1 #10
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #11
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #12
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #13
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #14
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #15
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #16
> 0x00002b6552714cb1 in svn_repos_finish_report ()
> from /usr/lib/libsvn_repos-1.so.1 #17 0x00002b65524ee2c9 in
> dav_svn__update_report ()
> from /usr/lib/apache2/modules/mod_dav_svn.so #18 0x00002b65524f0e5e
> in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so #19
> 0x00002b6551ebe31a in ?? () from /usr/lib/apache2/modules/mod_dav.so
> #20 0x0000000000437c5a in ap_run_handler () #21 0x000000000043b00c in
> ap_invoke_handler () #22 0x0000000000447508 in ap_process_request ()
> #23 0x000000000044494c in ?? () #24 0x000000000043ec32 in
> ap_run_process_connection () #25 0x000000000044b39c in ?? () #26
> 0x000000000044b654 in ?? () #27 0x000000000044b6f7 in ?? () #28
> 0x000000000044c1bf in ap_mpm_run () #29 0x0000000000425aa1 in main ()
> (gdb) Continuing.
>
> Breakpoint 3, mysql_check_user_password (r=0x2b6556f610a8,
> user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******",
> sec=0x844088) at mod_auth_mysql.c:1345 1345 if
> (!query) { $13 = 0x56f62d78 <Address 0x56f62d78 out of bounds> (gdb) n
> 1351 if ((rv = safe_mysql_query(r, query, sec))) {
> (gdb)
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00002b654dda8b50 in strlen () from /lib/libc.so.6
>
> (sorry I no longer have the bt on the failing intruction)
>
> apr_pstrcat returns a 64bit address (r=0x2b6556f62d78), but it
> gets truncated in "query" into 0x56f62d78. Looking at the
> disassembly on mysql_check_user_password(), there's a ctlq
> instruction after the call to PSTRCAT(). That is because the
> #include <apr_strings.h> is missing, so that mod_auth_mysql
> thinks that function (apr_pstrcat) returns an integer instead of
> a pointer hence the truncation.
>
> Actually, gcc gives a warning when compiling that code which
> would have helped find the problem.
>
> It seems the problem is still there in newer versions of ubuntu.
>
> The problem only appears when the address returned by PSTRCAT()
> is 64bits.
>
> The simple fix:
>
> --- mod_auth_mysql.c~ 2009-01-19 14:57:14.717958623 +0000
> +++ mod_auth_mysql.c 2009-01-19 14:54:00.947332133 +0000
> @@ -49,6 +49,7 @@
> #ifdef APACHE2
> #include "http_request.h" /* for ap_hook_(check_user_id |
> auth_checker)*/ #include <apr_general.h>
> +#include <apr_strings.h>
> #include <apr_md5.h>
> #include <apr_sha1.h>
> #else
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers gutsy-updates
> APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500,
> 'gutsy') Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.22-14-server (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libapache2-mod-auth-mysql depends on:
> ii apache2.2-common 2.2.4-3ubuntu0.1 Next generation,
> scalable, extenda ii libc6 2.6.1-1ubuntu10 GNU C
> Library: Shared libraries ii libmysqlclient15off
> 5.0.45-1ubuntu3 MySQL database client library
>
> libapache2-mod-auth-mysql recommends no packages.
>
> -- no debconf information
>

Can you file this on launchpad? I know the system sent it to the users
mailing list, but it never gets worked if it stays here.

The right place to file bug reports is:
https://bugs.launchpad.net/ubuntu

That will give the developers a chance to see if they can fix it.

Thanks.

--
Charlie Kravetz
Linux Registered User Number 425914 [http://counter.li.org/]
Never let anyone steal your DREAM. [http://keepingdreams.com]

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 04:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org