libapache2-mod-auth-mysql: SEGV in mysql_check_user_password()

Charlie Kravetz cjk at teamcharliesangels.com
Fri Jan 23 15:19:07 UTC 2009 

On Mon, 19 Jan 2009 15:12:26 +0000
Stephane Chazelas <stephane.chazelas at seebyte.com> wrote:

> Package: libapache2-mod-auth-mysql
> Version: 4.3.9-4
> Severity: important
> 
> 
> The bug occurs on x86_64 in mysql_check_user_password() when the
> APR "pool" for apr_pstrcat() is on a 64bit address (see source
> code of mysql_check_user_password() for reference)
> 
> Breakpoint 1, mysql_check_user_password (r=0x2b6556f610a8,
> user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******",
> sec=0x844088) at mod_auth_mysql.c:1316 1316		char
> *auth_table = "mysql_auth", *auth_user_field = "username", #0
> mysql_check_user_password (r=0x2b6556f610a8, user=0x2b6556f62d50
> "stephane", password=0x2b6556f62d41 "******", sec=0x844088) at
> mod_auth_mysql.c:1316 #1  0x00002b655045256b in
> mysql_authenticate_basic_user (r=0x2b6556f610a8) at
> mod_auth_mysql.c:1533 #2  0x00000000004331b2 in ap_run_check_user_id
> () #3  0x0000000000435144 in ap_process_request_internal () #4
> 0x0000000000435950 in ap_sub_req_method_uri () #5  0x00002b65524ed4b8
> in dav_svn_authz_read () from /usr/lib/apache2/modules/mod_dav_svn.so
> #6  0x00002b6552713ec3 in ?? () from /usr/lib/libsvn_repos-1.so.1 #7
> 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1 #8
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #9
> 0x00002b655271482e in ?? () from /usr/lib/libsvn_repos-1.so.1 #10
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #11
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #12
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #13
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #14
> 0x00002b65527141c5 in ?? () from /usr/lib/libsvn_repos-1.so.1 #15
> 0x00002b655271459a in ?? () from /usr/lib/libsvn_repos-1.so.1 #16
> 0x00002b6552714cb1 in svn_repos_finish_report ()
> from /usr/lib/libsvn_repos-1.so.1 #17 0x00002b65524ee2c9 in
> dav_svn__update_report ()
> from /usr/lib/apache2/modules/mod_dav_svn.so #18 0x00002b65524f0e5e
> in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so #19
> 0x00002b6551ebe31a in ?? () from /usr/lib/apache2/modules/mod_dav.so
> #20 0x0000000000437c5a in ap_run_handler () #21 0x000000000043b00c in
> ap_invoke_handler () #22 0x0000000000447508 in ap_process_request ()
> #23 0x000000000044494c in ?? () #24 0x000000000043ec32 in
> ap_run_process_connection () #25 0x000000000044b39c in ?? () #26
> 0x000000000044b654 in ?? () #27 0x000000000044b6f7 in ?? () #28
> 0x000000000044c1bf in ap_mpm_run () #29 0x0000000000425aa1 in main ()
> (gdb) Continuing.
> 
> Breakpoint 3, mysql_check_user_password (r=0x2b6556f610a8,
> user=0x2b6556f62d50 "stephane", password=0x2b6556f62d41 "******",
> sec=0x844088) at mod_auth_mysql.c:1345 1345		if
> (!query) { $13 = 0x56f62d78 <Address 0x56f62d78 out of bounds> (gdb) n
> 1351		if ((rv = safe_mysql_query(r, query, sec))) {
> (gdb) 
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00002b654dda8b50 in strlen () from /lib/libc.so.6
> 
> (sorry I no longer have the bt on the failing intruction)
> 
> apr_pstrcat returns a 64bit address (r=0x2b6556f62d78), but it
> gets truncated in "query" into 0x56f62d78. Looking at the
> disassembly on mysql_check_user_password(), there's a ctlq
> instruction after the call to PSTRCAT(). That is because the
> #include <apr_strings.h> is missing, so that mod_auth_mysql
> thinks that function (apr_pstrcat) returns an integer instead of
> a pointer hence the truncation.
> 
> Actually, gcc gives a warning when compiling that code which
> would have helped find the problem.
> 
> It seems the problem is still there in newer versions of ubuntu.
> 
> The problem only appears when the address returned by PSTRCAT()
> is 64bits.
> 
> The simple fix:
> 
> --- mod_auth_mysql.c~	2009-01-19 14:57:14.717958623 +0000
> +++ mod_auth_mysql.c	2009-01-19 14:54:00.947332133 +0000
> @@ -49,6 +49,7 @@
>  #ifdef APACHE2
>  #include "http_request.h"   /* for ap_hook_(check_user_id |
> auth_checker)*/ #include <apr_general.h>
> +#include <apr_strings.h>
>  #include <apr_md5.h>
>  #include <apr_sha1.h>
>  #else
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers gutsy-updates
>   APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500,
> 'gutsy') Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.22-14-server (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages libapache2-mod-auth-mysql depends on:
> ii  apache2.2-common        2.2.4-3ubuntu0.1 Next generation,
> scalable, extenda ii  libc6                   2.6.1-1ubuntu10  GNU C
> Library: Shared libraries ii  libmysqlclient15off
> 5.0.45-1ubuntu3  MySQL database client library
> 
> libapache2-mod-auth-mysql recommends no packages.
> 
> -- no debconf information
> 

Can you file this on launchpad? I know the system sent it to the users
mailing list, but it never gets worked if it stays here. 

The right place to file bug reports is:
https://bugs.launchpad.net/ubuntu

That will give the developers a chance to see if they can fix it.

Thanks.

-- 
Charlie Kravetz 
Linux Registered User Number 425914          [http://counter.li.org/]
Never let anyone steal your DREAM.           [http://keepingdreams.com]

More information about the ubuntu-users mailing list