httpd crashes when fetching a hidden file located on a CD

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd crashes when fetching a hidden file located on a CD

Sevan / Venture37-2
Hi,
I ran across an issue with httpd(8) on 5.8-RELEASE & -CURRENT (2/12/2015
snapshot) where fetching a .hidden file located on a CD through httpd
results in httpd crashing (no core file or error message logged).

To reproduce, mount CD in a location which is served by httpd. eg CentOS
minimal install iso[1] has a hidden file in the root called .treeinfo

Try to fetch http://myweb/.treeinfo

Of course this is not a common scenario found in production, I happened
to run into it whist taking a shortcut to save time & disk space by
mounting the CentOS iso on a virtualbox guest which was running OpenBSD.


Sevan
[1]
http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Theo de Raadt
This bug report totally sucks.

Have you ever heard of ktrace, and if you have, why did you not try
to reproduce it?

You want us to reproduce it?  Why?

> Hi,
> I ran across an issue with httpd(8) on 5.8-RELEASE & -CURRENT (2/12/2015
> snapshot) where fetching a .hidden file located on a CD through httpd
> results in httpd crashing (no core file or error message logged).
>
> To reproduce, mount CD in a location which is served by httpd. eg CentOS
> minimal install iso[1] has a hidden file in the root called .treeinfo
>
> Try to fetch http://myweb/.treeinfo
>
> Of course this is not a common scenario found in production, I happened
> to run into it whist taking a shortcut to save time & disk space by
> mounting the CentOS iso on a virtualbox guest which was running OpenBSD.
>
>
> Sevan
> [1]
> http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
>

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Stuart Henderson-6
On 2015/12/07 15:44, Theo de Raadt wrote:

> This bug report totally sucks.
>
> Have you ever heard of ktrace, and if you have, why did you not try
> to reproduce it?
>
> You want us to reproduce it?  Why?
>
> > Hi,
> > I ran across an issue with httpd(8) on 5.8-RELEASE & -CURRENT (2/12/2015
> > snapshot) where fetching a .hidden file located on a CD through httpd
> > results in httpd crashing (no core file or error message logged).
> >
> > To reproduce, mount CD in a location which is served by httpd. eg CentOS
> > minimal install iso[1] has a hidden file in the root called .treeinfo
> >
> > Try to fetch http://myweb/.treeinfo
> >
> > Of course this is not a common scenario found in production, I happened
> > to run into it whist taking a shortcut to save time & disk space by
> > mounting the CentOS iso on a virtualbox guest which was running OpenBSD.
> >
> >
> > Sevan
> > [1]
> > http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
> >
>

It's not that bad a report, it has everything necessary to reproduce,
tested on release and -current so it's obviously not pledge related.

There's one thing to add though, it looks like it happens for any file on
cd9660, not just dotfiles.

Here's ktrace, not that it seems particularly useful.

$ sudo kdump
 26600          EMUL  "native"
 26600 httpd    RET   kevent 1
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9460)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 1970">.634312834 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getdtablecount()
 26600 httpd    RET   getdtablecount 7
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getrlimit(RLIMIT_NOFILE,0x7f7ffffd9260)
 26600 httpd    STRU  struct rlimit { cur=6000, max=6000 }
 26600 httpd    RET   getrlimit 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  accept4(3,0x7f7ffffd9330,0x7f7ffffd9444,0x4000<SOCK_NONBLOCK>)
 26600 httpd    STRU  struct sockaddr { AF_INET, 127.0.0.1:16821 }
 26600 httpd    RET   accept4 5
 26600 httpd    CALL  kbind(0x7f7ffffd9258,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getpid()
 26600 httpd    RET   getpid 26600/0x67e8
 26600 httpd    CALL  kbind(0x7f7ffffd9258,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getsockname(5,0xda798556020,0x7f7ffffd9444)
 26600 httpd    STRU  struct sockaddr { AF_INET, 127.0.0.1:8223 }
 26600 httpd    RET   getsockname 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd92f0)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 1970">.634549181 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  getsockopt(5,SOL_SOCKET,SO_SNDBUF,0xda7985562d8,0x7f7ffffd92fc)
 26600 httpd    RET   getsockopt 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9208,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9228,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd91c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9158,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kevent(9,0xda79855d000,3,0xda7a840b000,64,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 600 }
 26600 httpd    RET   kevent 2
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9460)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 1970">.634743483 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  ioctl(5,FIONREAD,0x7f7ffffd942c)
 26600 httpd    RET   ioctl 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015959617536/0xda82cf06000
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  read(5,0xda82cf06400,0x59)
 26600 httpd    GIO   fd 5 read 89 bytes
       "GET /z/.treeinfo HTTP/1.1\r
        Host: localhost:8223\r
        User-Agent: curl/7.45.0\r
        Accept: */*\r
        \r
       "
 26600 httpd    RET   read 89/0x59
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd93f0)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 1970">.634802011 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9308,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15013927677952/0xda7b3d37000
 26600 httpd    CALL  kbind(0x7f7ffffd8d28,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8d68,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8928,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  access(0x7f7ffffd89f0,0x4<R_OK>)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    RET   access 0
 26600 httpd    CALL  kbind(0x7f7ffffd87e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  stat(0x7f7ffffd89f0,0x7f7ffffd88c0)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    STRU  struct stat { dev=3586, ino=61240, mode=-rw-r--r-- , nlink=1, uid=0<"root">, gid=0<"wheel">, rdev=0, atime=1427843425<"Apr  1 00:10:25 2015">, mtime=1427495808<"Mar 27 22:36:48 2015">, ctime=1427843425<"Apr  1 00:10:25 2015">, size=1109, blocks=2, blksize=2048, flags=0x0, gen=0x0 }
 26600 httpd    RET   stat 0
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  open(0x7f7ffffd89f0,0<O_RDONLY>)
 26600 httpd    NAMI  "/htdocs/z/.treeinfo"
 26600 httpd    RET   open 6
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  gettimeofday(0x7f7ffffd8830,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 2015">.091706 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  gettimeofday(0x7f7ffffd8610,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 2015">.091712 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8558,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8548,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8578,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8498,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8428,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8628,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015584440320/0xda81693a000
 26600 httpd    CALL  mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15011937607680/0xda73d356000
 26600 httpd    CALL  kbind(0x7f7ffffd86a8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  mmap(0,0x5000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15013230739456/0xda78a490000
 26600 httpd    CALL  mmap(0,0xb000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 26600 httpd    RET   mmap 15015425835008/0xda80d1f8000
 26600 httpd    CALL  issetugid()
 26600 httpd    RET   issetugid 0
 26600 httpd    CALL  open(0x7f7ffffd82a0,0<O_RDONLY>)
 26600 httpd    NAMI  "/usr/share/zoneinfo/GMT"
 26600 httpd    RET   open -1 errno 2 No such file or directory
 26600 httpd    CALL  issetugid()
 26600 httpd    RET   issetugid 0
 26600 httpd    CALL  open(0x7f7ffffd81f0,0<O_RDONLY>)
 26600 httpd    NAMI  "/usr/share/zoneinfo/posixrules"
 26600 httpd    RET   open -1 errno 2 No such file or directory
 26600 httpd    CALL  gettimeofday(0x7f7ffffd87b0,0)
 26600 httpd    STRU  struct timeval { 1449533415<"Dec  8 00:10:15 2015">.091925 }
 26600 httpd    RET   gettimeofday 0
 26600 httpd    CALL  kbind(0x7f7ffffd86e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd86b8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd8798,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd84c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd82e8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93a8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9378,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  write(5,0xda79855b800,0xd3)
 26600 httpd    GIO   fd 5 wrote 211 bytes
       "HTTP/1.1 200 OK\r
        Connection: keep-alive\r
        Content-Length: 1109\r
        Content-Type: application/octet-stream\r
        Date: Tue, 08 Dec 2015 00:10:15 GMT\r
        Last-Modified: Fri, 27 Mar 2015 22:36:48 GMT\r
        Server: OpenBSD httpd\r
        \r
       "
 26600 httpd    RET   write 211/0xd3
 26600 httpd    CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 190190<"Jan  3 05:49:50 1970">.635312700 }
 26600 httpd    RET   clock_gettime 0
 26600 httpd    CALL  kevent(9,0xda79855d000,7,0xda7a840b000,64,0x7f7ffffd9430)
 26600 httpd    STRU  struct timespec { 600 }
 26600 httpd    RET   kevent 1
 26600 httpd    CALL  kbind(0x7f7ffffd9368,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(3)
 26600 httpd    RET   close 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9378,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9358,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(6)
 26600 httpd    RET   close 0
 26600 httpd    CALL  close(5)
 26600 httpd    RET   close 0
 26600 httpd    CALL  kbind(0x7f7ffffd9398,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93c8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9448,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd9418,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  nanosleep(0x7f7ffffd94e0,0)
 26600 httpd    STRU  struct timespec { 0.000200000 }
 26600 httpd    RET   nanosleep 0
 26600 httpd    CALL  kbind(0x7f7ffffd93f8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  kbind(0x7f7ffffd93d8,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  close(4)
 26600 httpd    RET   close 0
 26600 httpd    CALL  close(7)
 26600 httpd    RET   close 0
 26600 httpd    CALL  getpid()
 26600 httpd    RET   getpid 26600/0x67e8
 26600 httpd    CALL  write(2,0x7f7ffffd8f00,0x1a)
 26600 httpd    GIO   fd 2 wrote 26 bytes
       "server exiting, pid 26600
       "
 26600 httpd    RET   write 26/0x1a
 26600 httpd    CALL  kbind(0x7f7ffffd9448,0x18,0xd6de5e5b8cf9d5cf)
 26600 httpd    PSIG  SIGTERM caught handler=0xda7c17a33e0 mask=0<>
 26600 httpd    RET   kbind 0
 26600 httpd    CALL  sigreturn(0x7f7ffffd8fa0)
 26600 httpd    RET   sigreturn JUSTRETURN
 26600 httpd    CALL  exit(0)

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Jonathan Gray-11
On Tue, Dec 08, 2015 at 12:31:09AM +0000, Stuart Henderson wrote:

> On 2015/12/07 15:44, Theo de Raadt wrote:
> > This bug report totally sucks.
> >
> > Have you ever heard of ktrace, and if you have, why did you not try
> > to reproduce it?
> >
> > You want us to reproduce it?  Why?
> >
> > > Hi,
> > > I ran across an issue with httpd(8) on 5.8-RELEASE & -CURRENT (2/12/2015
> > > snapshot) where fetching a .hidden file located on a CD through httpd
> > > results in httpd crashing (no core file or error message logged).
> > >
> > > To reproduce, mount CD in a location which is served by httpd. eg CentOS
> > > minimal install iso[1] has a hidden file in the root called .treeinfo
> > >
> > > Try to fetch http://myweb/.treeinfo
> > >
> > > Of course this is not a common scenario found in production, I happened
> > > to run into it whist taking a shortcut to save time & disk space by
> > > mounting the CentOS iso on a virtualbox guest which was running OpenBSD.
> > >
> > >
> > > Sevan
> > > [1]
> > > http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso
> > >
> >
>
> It's not that bad a report, it has everything necessary to reproduce,
> tested on release and -current so it's obviously not pledge related.
>
> There's one thing to add though, it looks like it happens for any file on
> cd9660, not just dotfiles.

It is worth pointing out that httpd has had trouble serving files off
specific filesystems in the past due to kqueue issues.

cd9660_vops does not currently set .vop_kqfilter, does anything change
if you set EVENT_NOKQUEUE before running httpd?

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Ted Unangst-6
Jonathan Gray wrote:
> >
> > There's one thing to add though, it looks like it happens for any file on
> > cd9660, not just dotfiles.
>
> It is worth pointing out that httpd has had trouble serving files off
> specific filesystems in the past due to kqueue issues.
>
> cd9660_vops does not currently set .vop_kqfilter, does anything change
> if you set EVENT_NOKQUEUE before running httpd?

this maybe adds kqueue to cd9660.


Index: cd9660_vnops.c
===================================================================
RCS file: /cvs/src/sys/isofs/cd9660/cd9660_vnops.c,v
retrieving revision 1.72
diff -u -p -r1.72 cd9660_vnops.c
--- cd9660_vnops.c 17 Apr 2015 04:43:20 -0000 1.72
+++ cd9660_vnops.c 8 Dec 2015 15:24:38 -0000
@@ -65,6 +65,9 @@
 #include <isofs/cd9660/cd9660_node.h>
 #include <isofs/cd9660/iso_rrip.h>
 
+int cd9660_kqfilter(void *v);
+
+
 /*
  * Structure for reading directories
  */
@@ -841,6 +844,7 @@ struct vops cd9660_vops = {
  .vop_write = cd9660_write,
  .vop_ioctl = cd9660_ioctl,
  .vop_poll = cd9660_poll,
+ .vop_kqfilter = cd9660_kqfilter,
  .vop_revoke = cd9660_revoke,
  .vop_fsync = cd9660_fsync,
  .vop_remove = cd9660_remove,
@@ -947,3 +951,103 @@ struct vops cd9660_fifovops = {
  .vop_advlock = fifo_advlock,
 };
 #endif /* FIFO */
+
+void filt_cd9660detach(struct knote *kn);
+int filt_cd9660read(struct knote *kn, long hint);
+int filt_cd9660write(struct knote *kn, long hint);
+int filt_cd9660vnode(struct knote *kn, long hint);
+
+struct filterops cd9660read_filtops =
+ { 1, NULL, filt_cd9660detach, filt_cd9660read };
+struct filterops cd9660write_filtops =
+ { 1, NULL, filt_cd9660detach, filt_cd9660write };
+struct filterops cd9660vnode_filtops =
+ { 1, NULL, filt_cd9660detach, filt_cd9660vnode };
+
+int
+cd9660_kqfilter(void *v)
+{
+ struct vop_kqfilter_args *ap = v;
+ struct vnode *vp = ap->a_vp;
+ struct knote *kn = ap->a_kn;
+
+ switch (kn->kn_filter) {
+ case EVFILT_READ:
+ kn->kn_fop = &cd9660read_filtops;
+ break;
+ case EVFILT_WRITE:
+ kn->kn_fop = &cd9660write_filtops;
+ break;
+ case EVFILT_VNODE:
+ kn->kn_fop = &cd9660vnode_filtops;
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ kn->kn_hook = (caddr_t)vp;
+
+ SLIST_INSERT_HEAD(&vp->v_selectinfo.si_note, kn, kn_selnext);
+
+ return (0);
+}
+
+void
+filt_cd9660detach(struct knote *kn)
+{
+ struct vnode *vp = (struct vnode *)kn->kn_hook;
+
+ SLIST_REMOVE(&vp->v_selectinfo.si_note, kn, knote, kn_selnext);
+}
+
+int
+filt_cd9660read(struct knote *kn, long hint)
+{
+ struct vnode *vp = (struct vnode *)kn->kn_hook;
+ struct iso_node *node = VTOI(vp);
+
+ /*
+ * filesystem is gone, so set the EOF flag and schedule
+ * the knote for deletion.
+ */
+ if (hint == NOTE_REVOKE) {
+ kn->kn_flags |= (EV_EOF | EV_ONESHOT);
+ return (1);
+ }
+
+ kn->kn_data = node->i_size - kn->kn_fp->f_offset;
+ if (kn->kn_data == 0 && kn->kn_sfflags & NOTE_EOF) {
+ kn->kn_fflags |= NOTE_EOF;
+ return (1);
+ }
+
+ return (kn->kn_data != 0);
+}
+
+int
+filt_cd9660write(struct knote *kn, long hint)
+{
+ /*
+ * filesystem is gone, so set the EOF flag and schedule
+ * the knote for deletion.
+ */
+ if (hint == NOTE_REVOKE) {
+ kn->kn_flags |= (EV_EOF | EV_ONESHOT);
+ return (1);
+ }
+
+ kn->kn_data = 0;
+ return (1);
+}
+
+int
+filt_cd9660vnode(struct knote *kn, long hint)
+{
+ if (kn->kn_sfflags & hint)
+ kn->kn_fflags |= hint;
+ if (hint == NOTE_REVOKE) {
+ kn->kn_flags |= EV_EOF;
+ return (1);
+ }
+ return (kn->kn_fflags != 0);
+}

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Ted Unangst-6
In reply to this post by Stuart Henderson-6
Stuart Henderson wrote:

>  26600 httpd    CALL  issetugid()
>  26600 httpd    RET   issetugid 0
>  26600 httpd    CALL  open(0x7f7ffffd82a0,0<O_RDONLY>)
>  26600 httpd    NAMI  "/usr/share/zoneinfo/GMT"
>  26600 httpd    RET   open -1 errno 2 No such file or directory
>  26600 httpd    CALL  issetugid()
>  26600 httpd    RET   issetugid 0
>  26600 httpd    CALL  open(0x7f7ffffd81f0,0<O_RDONLY>)
>  26600 httpd    NAMI  "/usr/share/zoneinfo/posixrules"
>  26600 httpd    RET   open -1 errno 2 No such file or directory

unrelated to the problem at hand, but httpd is trying to access timezone files
in the chroot.

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Theo de Raadt
> Stuart Henderson wrote:
> >  26600 httpd    CALL  issetugid()
> >  26600 httpd    RET   issetugid 0
> >  26600 httpd    CALL  open(0x7f7ffffd82a0,0<O_RDONLY>)
> >  26600 httpd    NAMI  "/usr/share/zoneinfo/GMT"
> >  26600 httpd    RET   open -1 errno 2 No such file or directory
> >  26600 httpd    CALL  issetugid()
> >  26600 httpd    RET   issetugid 0
> >  26600 httpd    CALL  open(0x7f7ffffd81f0,0<O_RDONLY>)
> >  26600 httpd    NAMI  "/usr/share/zoneinfo/posixrules"
> >  26600 httpd    RET   open -1 errno 2 No such file or directory
>
> unrelated to the problem at hand, but httpd is trying to access timezone files
> in the chroot.

feels like a missing tzset before jailing...

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Sevan / Venture37-2
In reply to this post by Ted Unangst-6
Thanks so much for the patch, It's resolved the issue.


Sevan

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Ted Unangst-6
In reply to this post by Ted Unangst-6
Ted Unangst wrote:

> Jonathan Gray wrote:
> > >
> > > There's one thing to add though, it looks like it happens for any file on
> > > cd9660, not just dotfiles.
> >
> > It is worth pointing out that httpd has had trouble serving files off
> > specific filesystems in the past due to kqueue issues.
> >
> > cd9660_vops does not currently set .vop_kqfilter, does anything change
> > if you set EVENT_NOKQUEUE before running httpd?
>
> this maybe adds kqueue to cd9660.

We've confirmed this diff fixes the problem. However, there seems to be a
larger problem that httpd/libevent cannot gracefully handle the condition
where kevent returns an error. We are doomed to see this problem repeat if
that is not addressed.

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

David Gwynne-5

> On 11 Dec 2015, at 9:23 PM, Ted Unangst <[hidden email]> wrote:
>
> Ted Unangst wrote:
>> Jonathan Gray wrote:
>>>>
>>>> There's one thing to add though, it looks like it happens for any file on
>>>> cd9660, not just dotfiles.
>>>
>>> It is worth pointing out that httpd has had trouble serving files off
>>> specific filesystems in the past due to kqueue issues.
>>>
>>> cd9660_vops does not currently set .vop_kqfilter, does anything change
>>> if you set EVENT_NOKQUEUE before running httpd?
>>
>> this maybe adds kqueue to cd9660.
>
> We've confirmed this diff fixes the problem. However, there seems to be a
> larger problem that httpd/libevent cannot gracefully handle the condition
> where kevent returns an error. We are doomed to see this problem repeat if
> that is not addressed.

on one hand i agree with you, but on the other i wonder why httpd thinks setting events up on files is useful.
Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Theo de Raadt
> on one hand i agree with you, but on the other i wonder why httpd thinks
> setting events up on files is useful.=

I wondered this too.  And since this is libevent, and poll/select cannot
do anything like that, what is the goal?

Reply | Threaded
Open this post in threaded view
|

Re: httpd crashes when fetching a hidden file located on a CD

Reyk Floeter-2
On Sat, Dec 12, 2015 at 08:09:44AM -0700, Theo de Raadt wrote:
> > on one hand i agree with you, but on the other i wonder why httpd thinks
> > setting events up on files is useful.=
>
> I wondered this too.  And since this is libevent, and poll/select cannot
> do anything like that, what is the goal?
>

httpd is designed to use libevent's event buffers - not really for
poll/select - to fill the buffers as long as data is available and to
write it out as soon as possible; with throttling and wartermarks
involved.  It pretty much works like relayd, and intentionally uses
the same relaying between fds (in this case between file/fastcgi and
tcp/tls connections).  Honestly, I didn't think of somebody serving
files from iso9660 filesystems, but there are always surprises ;)

Reyk