RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1221575 - a segfault in dbmfilegroup_check_authorization in mod_authz_dbm.c
Summary: a segfault in dbmfilegroup_check_authorization in mod_authz_dbm.c
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Martin Frodl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-14 11:46 UTC by Hisanobu Okuda
Modified: 2021-01-14 09:33 UTC (History)
3 users (show)

Fixed In Version: httpd-2.4.6-33.el7
Doc Type: Bug Fix
Doc Text:
The mod_authz_dbm module requires the mod_authz_owner module but this dependency was not reflected in the mod_authz_dbm code. Consequently, when the "Require dbm-file-group" directive was used and mod_authz_dbm was loaded before mod_authz_owner, the httpd daemon terminated unexpectedly with a segmentation fault. The mod_authz_dbm code now allows loading before the mod_authz_owner module, and httpd no loner crashes in this scenario.
Clone Of:
Environment:
Last Closed: 2015-11-19 04:37:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2194 0 normal SHIPPED_LIVE httpd bug fix and enhancement update 2015-11-19 08:05:27 UTC

Description Hisanobu Okuda 2015-05-14 11:46:49 UTC 
Description of problem:

"Require dbm-file-group" causes a segfault in dbmfilegroup_check_authorization in mod_authz_dbm.c.


You can see a segfault running it under gdb with a breakpoint:-

# gdb /usr/sbin/httpd
Reading symbols from /usr/sbin/httpd...Reading symbols from /usr/lib/debug/usr/sbin/httpd.debug...done.
done.
(gdb) b dbmfilegroup_check_authorization
Function "dbmfilegroup_check_authorization" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (dbmfilegroup_check_authorization) pending.
(gdb) run -X -DFOREGROUND
Starting program: /usr/sbin/httpd -X -DFOREGROUND
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Temporarily disabling breakpoints for unloaded shared library "/etc/httpd/modules/mod_authz_dbm.so"

(access a protected resource and submit username/password)

Breakpoint 1, dbmfilegroup_check_authorization (r=0x7f851f1c02d0, require_args=0x7f851ee87e56 "", parsed_require_args=0x0)
    at mod_authz_dbm.c:207
207     {
(gdb) 
210         char *user = r->user;
(gdb) 
207     {
(gdb) 
208         authz_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
(gdb) 
211         const char *realm = ap_auth_name(r);
(gdb) 
218         if (!user) {
(gdb) 
219             return AUTHZ_DENIED_NO_USER;
(gdb) 
218         if (!user) {
(gdb) 
222         if (!conf->grpfile) {
(gdb) 
229         status = get_dbm_grp(r, apr_pstrcat(r->pool, user, ":", realm, NULL),
(gdb) 
232         if (status != APR_SUCCESS) {
(gdb) 
239         if (groups == NULL) {
(gdb) 
250         filegroup = authz_owner_get_file_group(r);
(gdb) print authz_owner_get_file_group 
$1 = (apr_OFN_authz_owner_get_file_group_t *) 0x0
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007f7d041ee079 in dbmfilegroup_check_authorization (r=0x7f7d0a31e310, require_args=<optimized out>, 
    parsed_require_args=<optimized out>) at mod_authz_dbm.c:250
#2  0x00007f7d045f6da2 in apply_authz_sections (r=r@entry=0x7f7d0a31e310, section=section@entry=0x7f7d0a01e568, 
    parent_op=<optimized out>) at mod_authz_core.c:737
#3  0x00007f7d045f6f58 in apply_authz_sections (r=r@entry=0x7f7d0a31e310, section=section@entry=0x7f7d0a01e4c8, 
    parent_op=<optimized out>) at mod_authz_core.c:751
#4  0x00007f7d045f6f58 in apply_authz_sections (r=r@entry=0x7f7d0a31e310, section=0x7f7d0a01e5c0, 
    parent_op=parent_op@entry=AUTHZ_LOGIC_AND) at mod_authz_core.c:751
#5  0x00007f7d045f70da in authorize_user_core (r=0x7f7d0a31e310, after_authn=1) at mod_authz_core.c:840
#6  0x00007f7d0818da60 in ap_run_auth_checker (r=0x7f7d0a31e310) at request.c:90
#7  0x00007f7d08190358 in ap_process_request_internal (r=r@entry=0x7f7d0a31e310) at request.c:294
#8  0x00007f7d081ab628 in ap_process_async_request (r=r@entry=0x7f7d0a31e310) at http_request.c:315
#9  0x00007f7d081ab914 in ap_process_request (r=r@entry=0x7f7d0a31e310) at http_request.c:363
#10 0x00007f7d081a82a2 in ap_process_http_sync_connection (c=0x7f7d0a253af0) at http_core.c:190
#11 ap_process_http_connection (c=0x7f7d0a253af0) at http_core.c:231
#12 0x00007f7d081a0340 in ap_run_process_connection (c=0x7f7d0a253af0) at connection.c:41
#13 0x00007f7d081a0728 in ap_process_connection (c=c@entry=0x7f7d0a253af0, csd=<optimized out>) at connection.c:202
#14 0x00007f7cfdb7280f in child_main (child_num_arg=child_num_arg@entry=0) at prefork.c:707
#15 0x00007f7cfdb72a0c in make_child (s=0x7f7d09f5b340, slot=slot@entry=0) at prefork.c:749
#16 0x00007f7cfdb73791 in prefork_run (_pconf=<optimized out>, plog=0x7f7d09f5f378, s=0x7f7d09f5b340) at prefork.c:966
#17 0x00007f7d0817d2ce in ap_run_mpm (pconf=0x7f7d09f32158, plog=0x7f7d09f5f378, s=0x7f7d09f5b340) at mpm_common.c:96
#18 0x00007f7d081768f6 in main (argc=3, argv=0x7fff14a9f608) at main.c:777
(gdb) 



Version-Release number of selected component (if applicable):

httpd-2.4.6-31.el7.x86_64


How reproducible:


Steps to Reproduce:
1. append the following lines to httpd.conf


<Directory "/var/www/html/test2/">
    AuthName test
    AuthType Basic
    AuthBasicProvider dbm
    AuthDBMUserFile /etc/httpd/conf/users
    AuthDBMGroupFile /etc/httpd/conf/groups
    AuthzDBMType SDBM
    Require dbm-file-group
</Directory>

2. create html file

[root@host11 conf]# mkdir /var/www/html/test
[root@host11 conf]# cat > /var/www/html/test/index.html
hi
(Ctrl-D)
[root@host11 conf]#


3. create db

[root@host11 conf]# htdbm -c -TSDBM /etc/httpd/conf/users user1
New password: 
Re-type new password: 
Database /etc/httpd/conf/users created.
[root@host11 conf]# cat > groups.txt
user1 root
(Ctrl-D)
[root@host11 conf]# httxt2dbm -v -f SDBM -i ./groups.txt -o /etc/httpd/conf/groups
DBM Format: SDBM
Input File: ./groups.txt
DBM File: /etc/httpd/conf/groups
    'user1' -> 'root'
Conversion Complete.


4. start httpd

[root@host11 conf]# systemctl start httpd.service


5. access http://localhost/test/, then you will see the segfault.

Actual results:


Expected results:


Additional info:
Comment 1 Hisanobu Okuda 2015-05-14 11:59:05 UTC 
Since the authz_dbm_module requires authz_owner_module, authz_owner_module should be registered before authz_dbm_module (same on authz_groupfile_module as well). Therefore, the issue is gone with the following config change:-


[root@host11 conf.modules.d]# diff -u 00-base.conf.org 00-base.conf                                                                 
--- 00-base.conf.org    2015-05-14 20:53:29.209639888 +0900
+++ 00-base.conf        2015-05-14 20:53:39.026639888 +0900
@@ -17,10 +17,10 @@
 LoadModule authn_socache_module modules/mod_authn_socache.so
 LoadModule authz_core_module modules/mod_authz_core.so
 LoadModule authz_dbd_module modules/mod_authz_dbd.so
+LoadModule authz_owner_module modules/mod_authz_owner.so
 LoadModule authz_dbm_module modules/mod_authz_dbm.so
 LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
 LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule authz_owner_module modules/mod_authz_owner.so
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule cache_module modules/mod_cache.so
[root@host11 conf.modules.d]#


However, just in case, it should show me an error message with the following (pseude) code, since a segfault is not the way to tell me that.


static void register_hooks(apr_pool_t *p)
{
    authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);

    if (authz_owner_get_file_group == NULL) { <== ADD THIS
      ap_log_rerror(...);                     <== ADD THIS
    }                                         <== ADD THIS
Comment 8 errata-xmlrpc 2015-11-19 04:37:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2194.html
Note You need to log in before you can comment on or make changes to this bug.