nginx segfaulting with mod_security

Robert Paprocki rpaprocki at fearnothingproductions.net
Mon Apr 14 03:42:04 UTC 2014


Hi Maxim!

Thank you for your response, always nice to actually hear back from
someone knowledgeable. Once thing I had noticed while looking at
backtraces (coredumps seem to indicate segfaults occurring in a number
of places, not just filter_module.c:121) was that every bt seemed to
include gzip modules as well. i disabled gzip in both my server and http
sections but this did not stop the segfaults (which is interesting, but
not entirely surprising, given that even when I had set SecRuleEngine to
off in my modsecurity.conf file, segfaults still occured... so even the
mere presence of ModSecurityEnabled in the nginx configuration was
leading to a break).

I have since recompiled nginx without both gunzip module and gzip static
module, and have not yet gotten any segfaults. i will continue to
research this and update if I have any more information

On 04/13/2014 03:17 AM, Maxim Dounin wrote:
> Hello!
> 
> On Sat, Apr 12, 2014 at 04:44:28PM -0700, Robert Paprocki wrote:
> 
>> Hello,
>>
>> I have compiled nginx-1.5.13 with modsecurity-2.7.7 and am seeing
>> occasional segfaults when sending requests to the server. mod_security
>> was compiled as a standalone module per the instructions made available
>> at
>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX.
>> The segfaults appear sporadic and do not seem to match up with any given
>> request. Below is my nginx configuration:
> 
> [...]
> 
>> Also, a backtrace of the core dump:
>> (gdb) bt
>> #0  0x080a1827 in ngx_http_write_filter (r=0x83bb078, in=0x8baaa6c) at
>> src/http/ngx_http_write_filter_module.c:121
> 
> This points to the following code line:
> 
>         cl->buf = ln->buf;
> 
> That is, dereferencing ln->buf fails, which may only happen if the 
> buffer chain ("in" argument) is broken.
> 
> [...]
> 
>> #8  0x080cfc78 in ngx_http_gunzip_body_filter (r=0x83bb078, in=0x8baaa6c)
>>     at src/http/modules/ngx_http_gunzip_filter_module.c:184
>> #9  0x081146bd in ngx_http_modsecurity_body_filter (r=0x83bb078,
>> in=0xbf7ff8b4)
>>     at
>> ../modsecurity-apache_2.7.7/nginx/modsecurity//ngx_http_modsecurity.c:1252
>> #10 0x08055381 in ngx_output_chain (ctx=0x8baa9b8, in=0xbf7ff8b4) at
>> src/core/ngx_output_chain.c:66
> 
> And this clearly shows that the buffer chain was chaned by 
> mod_security output body filter.  Note "in" argument of 
> mod_security ("in=0xbf7ff8b4") and gunzip filter which follows it 
> ("in=0x8baaa6c").
> 
> That is, from the backtrace it looks like mod_security changed the 
> buffer chain and did it wrong, with a segfault as a result.
> 



More information about the nginx mailing list