[Bug 61228] New: Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 61228] New: Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

            Bug ID: 61228
           Summary: Possible Invalid Reference to Stack Memory
                    (modules/http/chunk_filters.c)
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Our tool has reported an invalid use of stack address, in function
`ap_http_chunk_filter` of modules/http/chunk_filters.c,
https://github.com/apache/httpd/blob/trunk/modules/http/chunk_filter.c#L137

            e = apr_bucket_transient_create(chunk_hdr, hdr_len,
                                            c->bucket_alloc);
            APR_BRIGADE_INSERT_HEAD(b, e);


In the above code piece, chunk_hdr is a local variable, e->data will point to
chunk_hdr after `apr_bucket_transient_create`, and APR_BRIGADE_INSERT_HEAD
binds e with outside variable b (comes from function argument).

=> binds buf (it is stack memory in this case) with a new created bucket.
APR_DECLARE(apr_bucket *) apr_bucket_transient_make(apr_bucket *b,
                                                    const char *buf,
                                                    apr_size_t length)
{
    b->data   = (char *)buf;
    b->length = length;
    b->start  = 0;
    b->type   = &apr_bucket_type_transient;
    return b;
}

Anybody might have a look? thanks.
SourceBrella Inc.
Alex

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #1 from Yann Ylavic <[hidden email]> ---
As their name suggests, "transient" buckets can point to stack memory, where
the creator of such buckets is responsible for the scope.

In this case, the transient bucket 'e' will be either setaside (moved to heap
memory) by subsequent filters in ap_pass_brigade(), or cleaned up with its
brigade 'b' before the end of the function.

So it won't "leak" (hence be accessed) outside the function, AFAICT.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Alex CHEN <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #2 from Alex CHEN <[hidden email]> ---
(In reply to Yann Ylavic from comment #1)
> As their name suggests, "transient" buckets can point to stack memory, where
> the creator of such buckets is responsible for the scope.
>
> In this case, the transient bucket 'e' will be either setaside (moved to
> heap memory) by subsequent filters in ap_pass_brigade(), or cleaned up with
> its brigade 'b' before the end of the function.
>
> So it won't "leak" (hence be accessed) outside the function, AFAICT.

I see, `apr_brigade_cleanup` unlinks all 'e' from their brigade, b cannot
reference its 'e' (e->data, stack memory) anymore (since the destroy callback
of  `apr_bucket_type_transient` is a empty function, but the unlinking from b
will do the job). Really thanks for your concerns and clarification @Ylavic

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Alex CHEN <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
     Ever confirmed|1                           |0
         Resolution|WORKSFORME                  |---

--- Comment #3 from Alex CHEN <[hidden email]> ---
(In reply to Yann Ylavic from comment #1)
> As their name suggests, "transient" buckets can point to stack memory, where
> the creator of such buckets is responsible for the scope.
>
> In this case, the transient bucket 'e' will be either setaside (moved to
> heap memory) by subsequent filters in ap_pass_brigade(), or cleaned up with
> its brigade 'b' before the end of the function.
>
> So it won't "leak" (hence be accessed) outside the function, AFAICT.

Inside `apr_brigade_cleanup`, there is a FIX for
https://bz.apache.org/bugzilla/show_bug.cgi?id=51062,
https://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?annotate=1102687&pathrev=1102687,

Could there is a chance that: when hitting the above brigade corruption, the
fix breaks infinite loop but leave the brigade unclean (leak stack memory?) ?

Could anybody have a check on this?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #4 from Kontol <[hidden email]> ---
Created attachment 35401
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35401&action=edit
Asw

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #5 from Oyan Muhammad <[hidden email]> ---
Created attachment 35403
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35403&action=edit
ap an

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Christophe JAILLET <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35401|Asw                         |SPAM - do not open
        description|                            |
  Attachment #35401|0                           |1
        is obsolete|                            |

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Christophe JAILLET <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #35403|0                           |1
        is obsolete|                            |
  Attachment #35403|ap an                       |SPAM - do not open
        description|                            |

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #6 from John ELen <[hidden email]> ---
This is great website for bugs.
https://phoneyukti.in/youtube-se-paise-kaise-kamaye/

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #7 from Joe Orton <[hidden email]> ---
(In reply to Alex CHEN from comment #3)

> Inside `apr_brigade_cleanup`, there is a FIX for
> https://bz.apache.org/bugzilla/show_bug.cgi?id=51062,
> https://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.
> c?annotate=1102687&pathrev=1102687,
>
> Could there is a chance that: when hitting the above brigade corruption, the
> fix breaks infinite loop but leave the brigade unclean (leak stack memory?)
> ?
>
> Could anybody have a check on this?

The code referenced introduced in r1102687 is unreachable except in presence of
memory corruption, and should not have been included in a non-debug build.
I've removed it in r1875098 from non-debug builds, which should avoid any false
negatives from code analysis tools which could assume that is a valid code
path.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #8 from Sikhte Jaiye <[hidden email]> ---
Awesome Website sikhtejaiye.com

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |Xerces2
                URL|                            |https://www.inningsbreak.co
                   |                            |m/t20-world-cup-history-men
                   |                            |-and-women/

--- Comment #7 from [hidden email] ---
https://www.inningsbreak.com/t20-world-cup-history-men-and-women/

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

Christophe JAILLET <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|https://www.inningsbreak.co |
                   |m/t20-world-cup-history-men |
                   |-and-women/                 |
           Keywords|Xerces2                     |

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61228] Possible Invalid Reference to Stack Memory (modules/http/chunk_filters.c)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61228

--- Comment #7 from Rishabh <[hidden email]> ---
<a href="https://www.techizzlooks.com">Techizz looks</a>

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]