nginx segfaulting with mod_security

Maxim Dounin mdounin at mdounin.ru
Sun Apr 13 10:17:47 UTC 2014


Hello!

On Sat, Apr 12, 2014 at 04:44:28PM -0700, Robert Paprocki wrote:

> Hello,
> 
> I have compiled nginx-1.5.13 with modsecurity-2.7.7 and am seeing
> occasional segfaults when sending requests to the server. mod_security
> was compiled as a standalone module per the instructions made available
> at
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX.
> The segfaults appear sporadic and do not seem to match up with any given
> request. Below is my nginx configuration:

[...]

> Also, a backtrace of the core dump:
> (gdb) bt
> #0  0x080a1827 in ngx_http_write_filter (r=0x83bb078, in=0x8baaa6c) at
> src/http/ngx_http_write_filter_module.c:121

This points to the following code line:

        cl->buf = ln->buf;

That is, dereferencing ln->buf fails, which may only happen if the 
buffer chain ("in" argument) is broken.

[...]

> #8  0x080cfc78 in ngx_http_gunzip_body_filter (r=0x83bb078, in=0x8baaa6c)
>     at src/http/modules/ngx_http_gunzip_filter_module.c:184
> #9  0x081146bd in ngx_http_modsecurity_body_filter (r=0x83bb078,
> in=0xbf7ff8b4)
>     at
> ../modsecurity-apache_2.7.7/nginx/modsecurity//ngx_http_modsecurity.c:1252
> #10 0x08055381 in ngx_output_chain (ctx=0x8baa9b8, in=0xbf7ff8b4) at
> src/core/ngx_output_chain.c:66

And this clearly shows that the buffer chain was chaned by 
mod_security output body filter.  Note "in" argument of 
mod_security ("in=0xbf7ff8b4") and gunzip filter which follows it 
("in=0x8baaa6c").

That is, from the backtrace it looks like mod_security changed the 
buffer chain and did it wrong, with a segfault as a result.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list