RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2014461 - Test case failure: /CoreOS/httpd/Security/CVE-2014-0118-httpd-mod-deflate-denial-of-service
Summary: Test case failure: /CoreOS/httpd/Security/CVE-2014-0118-httpd-mod-deflate-den...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: httpd
Version: 9.0
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stepan Broz
QA Contact: icesalov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-15 10:04 UTC by Branislav Náter
Modified: 2023-06-14 14:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-06-14 14:08:10 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache Bugzilla 57087 0 None None None 2023-06-12 12:25:02 UTC
Red Hat Issue Tracker RHELPLAN-101400 0 None None None 2021-11-01 20:23:19 UTC

Description Branislav Náter 2021-10-15 10:04:16 UTC 
/CoreOS/httpd/Security/CVE-2014-0118-httpd-mod-deflate-denial-of-service test if failing only on aarch64 and ppc64le architectures

Version-Release number of selected component (if applicable):
RHEL-9.0.0-20211007.7

Steps to Reproduce: 
run /CoreOS/httpd/Security/CVE-2014-0118-httpd-mod-deflate-denial-of-service on aarch64 or ppc64le boxes.


Actual results: 
<snip>
:: [ 05:40:26 ] :: [  BEGIN   ] :: Sending HTTP request :: actually running 'wget -O- --header="Content-Encoding: gzip" --post-file=postdata.gz http://localhost/$TESTFILE'
--2021-10-15 05:40:26--  http://localhost/CVE-2014-0118.php
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘STDOUT’
fish is 

     0K                                                         295K=0s

2021-10-15 05:40:26 (295 KB/s) - written to stdout [9]

:: [ 05:40:26 ] :: [   PASS   ] :: Sending HTTP request (Expected 0, got 0)
:: [ 05:40:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.uDJTMWde' should contain 'fish is 42' 







Expected results:
test is passing on all architectures:

:: [ 11:49:19 ] :: [  BEGIN   ] :: Sending HTTP request :: actually running 'wget -O- --header="Content-Encoding: gzip" --post-file=postdata.gz http://localhost/$TESTFILE'
fish is 42
--2021-10-15 11:49:19--  http://localhost/CVE-2014-0118.php
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘STDOUT’

     0K                                                         844K=0s

2021-10-15 11:49:19 (844 KB/s) - written to stdout [11]

:: [ 11:49:19 ] :: [   PASS   ] :: Sending HTTP request (Expected 0, got 0)
:: [ 11:49:19 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.2f0AbwiA' should contain 'fish is 42'
Comment 10 RHEL Program Management 2023-04-15 07:28:02 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 19 Stepan Broz 2023-06-09 16:11:14 UTC 
This looks like a bug in httpd.

The failed runs on aarch64 all do read the client's request in a single read() -- the request, headers, and the gzipped body. The "deflate_in_filter()" does the inflate completely in the first run while mod_proxy_fcgi is still in ap_proxy_prefetch_input().
The successful run, on the other hand, reads the request and headers in first read() when in ap_proxy_prefetch_input(), and reads the body later when in dispatch().

The above seems harmless and in both situations the inflate is successful and uncompressed data is sent to the FCGI socket to PHP, however, the failed run is missing the CONTENT_LENGTH environment, which does not get sent because "Content-Length" is removed here:

modules/filters/mod_deflate.c:
1184             rv = apr_brigade_flatten(ctx->bb,
1185                                      ctx->header + ctx->header_len, &len);
1186             if (rv != APR_SUCCESS) {
1187                 return rv;
1188             }
1189             if (len && !ctx->header_len) {
1190                 apr_table_unset(r->headers_in, "Content-Length");
1191                 apr_table_unset(r->headers_in, "Content-MD5");
1192             }
1193             ctx->header_len += len;
1194 
1195         } while (ctx->header_len < sizeof(ctx->header));

And while this header is removed again in both scenarios, the failed run happens before send_environment() is done in fcgi_do_request(). The successful run gets the header removed after send_environment() already done (while in dispatch()):

modules/proxy/mod_proxy_fcgi.c:
 983     /* Step 2: Send Environment via FCGI_PARAMS */
 984     rv = send_environment(conn, r, temp_pool, request_id);
 985     if (rv != APR_SUCCESS) {
 986         ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01074)
 987                       "Failed writing Environment to %s:", server_portstr);
 988         conn->close = 1;
 989         return HTTP_SERVICE_UNAVAILABLE;
 990     }
 991 
 992     /* Step 3: Read records from the back end server and handle them. */
 993     rv = dispatch(conn, conf, r, temp_pool, request_id,
 994                   &err, &bad_request, &has_responded,
 995                   input_brigade);


Commenting out modules/filters/mod_deflate.c:1190 makes the test pass (it's a test, not a fix).
Comment 20 Stepan Broz 2023-06-12 12:25:03 UTC 
While I believe sending incorrect (pre-inflate or none) Content-Length with a POST request is a bug, setting "SetEnv proxy-sendcl 1" fixes the test.

https://bz.apache.org/bugzilla/show_bug.cgi?id=57087
Note You need to log in before you can comment on or make changes to this bug.