ngx_execute_proc

Tolga Ceylan tolga.ceylan at gmail.com
Mon Aug 24 18:55:42 UTC 2015


On Sun, Aug 23, 2015 at 11:38 AM, Ricardo Iramar dos Santos
<riramar at gmail.com> wrote:
> Hi Tolga, thanks a lot for your replay! :)
>
> Searching on the source code I found that ngx_execute_proc() has been
> declared and invoked inside src/os/unix/ngx_process.c.
>
> ricardo at matrix:~/Documents/nginx-1.9.3$ grep -ri ngx_execute_proc *
> Binary file objs/src/os/unix/ngx_process.o matches
> Binary file objs/nginx matches
> src/os/unix/ngx_process.c:static void ngx_execute_proc(ngx_cycle_t
> *cycle, void *data);
> src/os/unix/ngx_process.c:    return ngx_spawn_process(cycle,
> ngx_execute_proc, ctx, ctx->name,
> src/os/unix/ngx_process.c:ngx_execute_proc(ngx_cycle_t *cycle, void *data)
>
> The function ngx_execute_proc() is really small, take a look:
>
> static void
> ngx_execute_proc(ngx_cycle_t *cycle, void *data)
> {
>     ngx_exec_ctx_t  *ctx = data;
>
>     if (execve(ctx->path, ctx->argv, ctx->envp) == -1) {
>         ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
>                       "execve() failed while executing %s \"%s\"",
>                       ctx->name, ctx->path);
>     }
>
>     exit(1);
> }
>
> And this is the function which maybe ngx_execute_proc() is invoked.
>
> ngx_pid_t
> ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx)
> {
>     return ngx_spawn_process(cycle, ngx_execute_proc, ctx, ctx->name,
>                              NGX_PROCESS_DETACHED);
> }
>
> I didn't get yet where in the code of upgrading process touch the
> functions above.
> I didn't find in ngx_exec_new_binary() (/src/core/nginx.c) invoking
> ngx_execute_proc() directly.
> I'm trying to find a "command injection" vulnerabilities so I need to
> trace the parameters "ctx->path, ctx->argv and ctx->envp" and where
> the users input some data on them.
>
> Thanks!
> Ricardo Iramar
>

Hi Ricardo,

In nginx.c, ngx_exec_new_binary() calls ngx_execute(), which calls
ngx_spawn_process() with "ngx_execute_proc" function pointer.

This is all triggered via "new binary" signal. The signal handler will
set "ngx_change_binary". ngx_master_process_cycle()
checks if ngx_change_binary is set and call ngx_exec_new_binary().

Hope this helps,
Tolga



More information about the nginx-devel mailing list