[BUG] New memory invalid read regression in resolver since nginx 1.7.5

Yichun Zhang (agentzh) agentzh at gmail.com
Tue Sep 30 22:51:40 UTC 2014


Hello!

On Tue, Sep 30, 2014 at 3:10 PM, Yichun Zhang (agentzh) wrote:
>     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
>                    "event timer del: %d: %M",
>                     ngx_event_ident(ev->data), ev->timer.key);
>

There is another issue here: it seems that ngx_event_ident() assumes
ev->data is an ngx_connection_t pointer:

    #define ngx_event_ident(p)  ((ngx_connection_t *) (p))->fd

But in fact, ev->data can point to any thing. Maybe it makes more
sense to just output the pointer value of ev->data here?

How about the following patch?

# HG changeset patch
# User Yichun Zhang <agentzh at gmail.com>
# Date 1412117428 25200
#      Tue Sep 30 15:50:28 2014 -0700
# Node ID 1ff0f68d9376e3d184d65814a6372856bf65cfcd
# Parent  a215d9021f137b9e2d4f69c37c7f992a2bef12c6
Event: ngx_event_ident should not assume ev->data to be an ngx_connection_t.

This change also fixes an invalid memory read in the resolver since 1.7.5
when --with-debug is used in the build.

diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event.h
--- a/src/event/ngx_event.h Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event.h Tue Sep 30 15:50:28 2014 -0700
@@ -526,7 +526,7 @@ ngx_int_t ngx_send_lowat(ngx_connection_


 /* used in ngx_log_debugX() */
-#define ngx_event_ident(p)  ((ngx_connection_t *) (p))->fd
+#define ngx_event_ident(p)  (p)


 #include <ngx_event_timer.h>
diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event_timer.c
--- a/src/event/ngx_event_timer.c Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event_timer.c Tue Sep 30 15:50:28 2014 -0700
@@ -99,7 +99,7 @@ ngx_event_expire_timers(void)
             ev = (ngx_event_t *) ((char *) node -
offsetof(ngx_event_t, timer));

             ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
-                           "event timer del: %d: %M",
+                           "event timer del: %p: %M",
                            ngx_event_ident(ev->data), ev->timer.key);

             ngx_rbtree_delete(&ngx_event_timer_rbtree, &ev->timer);
diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event_timer.h
--- a/src/event/ngx_event_timer.h Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event_timer.h Tue Sep 30 15:50:28 2014 -0700
@@ -36,7 +36,7 @@ static ngx_inline void
 ngx_event_del_timer(ngx_event_t *ev)
 {
     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
-                   "event timer del: %d: %M",
+                   "event timer del: %p: %M",
                     ngx_event_ident(ev->data), ev->timer.key);

     ngx_mutex_lock(ngx_event_timer_mutex);
@@ -75,7 +75,7 @@ ngx_event_add_timer(ngx_event_t *ev, ngx

         if (ngx_abs(diff) < NGX_TIMER_LAZY_DELAY) {
             ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ev->log, 0,
-                           "event timer: %d, old: %M, new: %M",
+                           "event timer: %p, old: %M, new: %M",
                             ngx_event_ident(ev->data), ev->timer.key, key);
             return;
         }
@@ -86,7 +86,7 @@ ngx_event_add_timer(ngx_event_t *ev, ngx
     ev->timer.key = key;

     ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ev->log, 0,
-                   "event timer add: %d: %M:%M",
+                   "event timer add: %p: %M:%M",
                     ngx_event_ident(ev->data), timer, ev->timer.key);

     ngx_mutex_lock(ngx_event_timer_mutex);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: event-ident.patch
Type: text/x-patch
Size: 2764 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140930/951e46f4/attachment.bin>


More information about the nginx-devel mailing list