libapache2-mod-auth-mysql: SEGV in mysql_check_user_password()

Stephane Chazelas stephane.chazelas at seebyte.com
Mon Jan 19 15:12:26 UTC 2009 

Package: libapache2-mod-auth-mysql
Version: 4.3.9-4
Severity: important


The bug occurs on x86_64 in mysql_check_user_password() when the
APR "pool" for apr_pstrcat() is on a 64bit address (see source
code of mysql_check_user_password() for reference)

Breakpoint 1, mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1316
1316		char *auth_table = "mysql_auth", *auth_user_field = "username",
#0  mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1316
#1  0x00002b655045256b in mysql_authenticate_basic_user (r=0x2b6556f610a8) at mod_auth_mysql.c:1533
#2  0x00000000004331b2 in ap_run_check_user_id ()
#3  0x0000000000435144 in ap_process_request_internal ()
#4  0x0000000000435950 in ap_sub_req_method_uri ()
#5  0x00002b65524ed4b8 in dav_svn_authz_read () from /usr/lib/apache2/modules/mod_dav_svn.so
#6  0x00002b6552713ec3 in ?? () from /usr/lib/libsvn_repos-1.so.1
#7  0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1
#8  0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#9  0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1
#10 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#11 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#12 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#13 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#14 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1
#15 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1
#16 0x00002b6552714cb1 in svn_repos_finish_report () from /usr/lib/libsvn_repos-1.so.1
#17 0x00002b65524ee2c9 in dav_svn__update_report () from /usr/lib/apache2/modules/mod_dav_svn.so
#18 0x00002b65524f0e5e in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#19 0x00002b6551ebe31a in ?? () from /usr/lib/apache2/modules/mod_dav.so
#20 0x0000000000437c5a in ap_run_handler ()
#21 0x000000000043b00c in ap_invoke_handler ()
#22 0x0000000000447508 in ap_process_request ()
#23 0x000000000044494c in ?? ()
#24 0x000000000043ec32 in ap_run_process_connection ()
#25 0x000000000044b39c in ?? ()
#26 0x000000000044b654 in ?? ()
#27 0x000000000044b6f7 in ?? ()
#28 0x000000000044c1bf in ap_mpm_run ()
#29 0x0000000000425aa1 in main ()
(gdb) 
Continuing.

Breakpoint 3, mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at mod_auth_mysql.c:1345
1345		if (!query) {
$13 = 0x56f62d78 <Address 0x56f62d78 out of bounds>
(gdb) n
1351		if ((rv = safe_mysql_query(r, query, sec))) {
(gdb) 

Program received signal SIGSEGV, Segmentation fault.
0x00002b654dda8b50 in strlen () from /lib/libc.so.6

(sorry I no longer have the bt on the failing intruction)

apr_pstrcat returns a 64bit address (r=0x2b6556f62d78), but it
gets truncated in "query" into 0x56f62d78. Looking at the
disassembly on mysql_check_user_password(), there's a ctlq
instruction after the call to PSTRCAT(). That is because the
#include <apr_strings.h> is missing, so that mod_auth_mysql
thinks that function (apr_pstrcat) returns an integer instead of
a pointer hence the truncation.

Actually, gcc gives a warning when compiling that code which
would have helped find the problem.

It seems the problem is still there in newer versions of ubuntu.

The problem only appears when the address returned by PSTRCAT()
is 64bits.

The simple fix:

--- mod_auth_mysql.c~	2009-01-19 14:57:14.717958623 +0000
+++ mod_auth_mysql.c	2009-01-19 14:54:00.947332133 +0000
@@ -49,6 +49,7 @@
 #ifdef APACHE2
 #include "http_request.h"   /* for ap_hook_(check_user_id | auth_checker)*/
 #include <apr_general.h>
+#include <apr_strings.h>
 #include <apr_md5.h>
 #include <apr_sha1.h>
 #else

-- System Information:
Debian Release: lenny/sid
  APT prefers gutsy-updates
  APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500, 'gutsy')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-14-server (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-auth-mysql depends on:
ii  apache2.2-common        2.2.4-3ubuntu0.1 Next generation, scalable, extenda
ii  libc6                   2.6.1-1ubuntu10  GNU C Library: Shared libraries
ii  libmysqlclient15off     5.0.45-1ubuntu3  MySQL database client library

libapache2-mod-auth-mysql recommends no packages.

-- no debconf information

More information about the ubuntu-users mailing list