Bug#902906: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#902906: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if an environment variable value is null
From: Philip Iezzi <debian@onlime.ch>
Date: Tue, 03 Jul 2018 11:53:41 +0200
Message-id: <[🔎] 153061162116.25058.9101032258377808938.reportbug@vtest.onlime.ch>
Reply-to: Philip Iezzi <debian@onlime.ch>, 902906@bugs.debian.org

Package: apache2-bin
Version: 2.4.25-3+deb9u4
Severity: important
Tags: patch upstream

Dear Maintainer,

We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi:

[core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit signal Segmentation fault (11)

As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following PHP-FPM invocation with SetHandler (running mpm_event):

```
<FilesMatch "\.ph(p[3-5]?|tml)$">
   <If "-f %{REQUEST_FILENAME}">
       SetHandler "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost"
   </If>
</FilesMatch>
```

Analyzing coredump:

```
$ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206
(...)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
[Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))]
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, maxlen=maxlen@entry=16384, starting_elem=starting_elem@entry=0x7f3c54ff8ae0) at util_fcgi.c:156
#2  0x00007f3c74f4871d in send_environment (request_id=1, temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at mod_proxy_fcgi.c:321
#3  fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848
#4  proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, proxyport=<optimized out>) at mod_proxy_fcgi.c:968
#5  0x00007f3c751562bc in proxy_run_scheme_handler (r=r@entry=0x7f3c49e196c0, worker=0x7f3c7ad7abf0, conf=conf@entry=0x7f3c7ae2bdd0, 
    url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", proxyhost=proxyhost@entry=0x0, proxyport=proxyport@entry=0) at mod_proxy.c:2880
#6  0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230
#7  0x000055b25cef1c40 in ap_run_handler (r=r@entry=0x7f3c49e196c0) at config.c:170
#8  0x000055b25cef21d6 in ap_invoke_handler (r=r@entry=0x7f3c49e196c0) at config.c:434
#9  0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:765
#10 0x000055b25cedc5b5 in ap_read_request (conn=conn@entry=0x7f3c49e28348) at protocol.c:1285
#11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) at http_core.c:146
#12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248
#13 0x000055b25cefba70 in ap_run_process_connection (c=c@entry=0x7f3c49e28348) at connection.c:42
#14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099
#15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003
#16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at pthread_create.c:333
#17 0x00007f3c7a0e6acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
```

The issue was reported upstream, Apache Bug 60275, including a patch:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
The patch made it into upstream Apache 2.4.26 (see https://www.apache.org/dist/httpd/CHANGES_2.4):

 *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
    modules add empty environment variables to the request. PR 60275.
    [<alex2grad AT gmail.com>]

I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and installed apache2-bin. This resolved the issue 100% (Apache was previously crashing on avg 15 times/h over months, since installing patched apache2-bin no more single segfault!).

apache2-2.4.25-pr60275.patch:

```diff
diff -ur apache2-2.4.25/server/util_fcgi.c apache2-2.4.25-patched/server/util_fcgi.c
--- apache2-2.4.25/server/util_fcgi.c	2015-07-20 12:28:13.000000000 +0200
+++ apache2-2.4.25-patched/server/util_fcgi.c	2018-07-01 09:16:08.122664970 +0200
@@ -153,7 +153,11 @@
 
         envlen += keylen;
 
-        vallen = strlen(elts[i].val);
+	if (!elts[i].val) {
+	    vallen = 0;
+	} else {
+    	    vallen = strlen(elts[i].val);
+	}
 
         if (vallen >> 7 == 0) {
             envlen += 1;
@@ -226,7 +230,11 @@
             buflen -= 4;
         }
 
-        vallen = strlen(elts[i].val);
+        if (!elts[i].val) {
+            vallen = 0;
+        } else {
+    	    vallen = strlen(elts[i].val);
+	}
 
         if (vallen >> 7 == 0) {
             if (buflen < 1) {
@@ -262,8 +270,10 @@
             rv = APR_ENOSPC; /* overflow */
             break;
         }
-        memcpy(itr, elts[i].val, vallen);
-        itr += vallen;
+	if (elts[i].val) {
+    	    memcpy(itr, elts[i].val, vallen);
+    	    itr += vallen;
+	}
 
         if (buflen == vallen) {
             (*starting_elem)++;
```

Please try to get this into the next Debian Stretch point release. It seems to be critical as this bug renders mod_proxy_fcgi unusable for most.

Thanks,
Philip


-- Package-specific info:

-- System Information:
Debian Release: 9.4
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-5
ii  libaprutil1              1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap         1.5.4-3
ii  libc6                    2.24-11+deb9u3
ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u1
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.18.1-1
ii  libpcre3                 2:8.39-3
ii  libssl1.0.2              1.0.2l-2+deb9u3
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u4
ii  zlib1g                   1:1.2.8.dfsg-5

apache2-bin recommends no packages.

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin is related to:
pn  apache2      <none>
ii  apache2-bin  2.4.25-3+deb9u4

-- no debconf information

Reply to:

Follow-Ups:
- Bug#902906: Voor een leek,onbegrijpelijk.
  - From: Van Rijmenant Henri <henri.v.rijmenant@telenet.be>

Prev by Date: apache2_2.4.25-3+deb9u5_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by Date: Bug#902658: apache2: apachectl graceful/restart results in segfault
Previous by thread: apache2_2.4.25-3+deb9u5_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by thread: Bug#902906: Voor een leek,onbegrijpelijk.
Index(es):
- Date
- Thread