`test-abort-validator` by `make regress` crashes macOS

[nalzok]

I was running make regress on macOS High Sierra 10.13.5 (17F77), when my screen suddenly turned black before the entire operating system crashed, which was really a big surprise to me.

I managed to create a core dump, which you might find helpful. Let me know if further information is required.

test-abort-validator_2018-06-12-154348_sunqingyaos-MacBook-Air.crash.txt

[kristapsdz]

I think I tried submitting this to Apple at some point, but can't remember---this has been a known bug for at least a few years. I've commented out the given test case. Can you re-run make regress with a fresh checkout and report on its crash status? (I don't have a Mac to test on.)

[nalzok]

The test test-abort-validator doesn't crash macOS anymore, and that's is great! However, it seems that test-fcgi-abort-validator also results in a kernel panic when executed, which appears to be more severe because this time the core dump resides in /Library/Logs/DiagnosticReports instead of ~/Library/Logs/DiagnosticReports.

Kernel_2018-06-13-004505_sunqingyaos-MacBook-Air.panic.txt

[kristapsdz]

Oh, I should have caught that too. Last commit fixes it in the same way for that file. Edit: I'm asking around to see if I can get anybody at Apple to look at actually fixing this. It's pretty bad.

[nalzok]

Thanks for your time and effort!

The previous kernel panic is gone but another one raises: this time the offending test appears to be test-fcgi-bigfile. Maybe all test-fcgi-* family tests share this issue?

Kernel_2018-06-13-013108_sunqingyaos-MacBook-Air.panic.txt

Edit: make regress passes when I remove the test-fcgi-* family tests. On the other hand, when I add a random test from this family, say test-fcgi-upload, the OS crashes again.

[kristapsdz]

You're the one taking the time and effort---thank you!---and you've absolutely found something that people should know about. This is really bad for Apple.

I almost don't want to ask, but can you crash the system by running any of these scripts (as compiled with kcgi) under the real web server? Or is it limited to the regression suite?

[nalzok]

No problem!

Unfortunately yes, I tried running test-fcgi-bigfile, test-fcgi-file-get, and test-fcgi-header directly on the command line, and all of them caused a crash. Then I installed them to cgi-bin and visited localhost:8080/cgi-bin/test-fcgi-{{ foo }}.cgi, and bang, macOS crashes again. So I think there's something wrong with the testing scripts, and the regression framework is probably OK.

BTW: It seems that this is a security vulnerability of macOS. If that's the case, I think it might be better for us to discuss this issue through a private channel like e-mail, instead of in a public thread?

[kristapsdz]

I've submitted it to Apple, but given as I have another bug report from 2015 not answered, I don't have high hopes. (I'd have made this thread private, but GitHub doesn't have the features for that.) Meanwhile, I'll comment out all fcgi regression tests so they don't run on Apple and make some specific notes on the kcgi frontpage about avoiding Mac OS X for CGI code, as there are obviously some show-stopping bugs in the kernel.

As for the last question, I don't mean copying the test file into the CGI directory---that will only run the regression test. Try, instead, something like test.c.txt. If it works, then the kernel bug lies in the regression suite's machinery.

Either way, this isn't a kcgi bug---it's a Mac OS X bug. If I were you, I would think carefully about running anything public-facing on your system.

[nalzok]

It looks that your code works fine, both in the command line and on the server. However, I'd like to highlight that this script doesn't use FastCGI, which all test cases causing kernel panic are related to, so I think it's questionable to say the bug is triggered by the regression suite?

I have been trying to get this library to work with FastCGI, but have encountered some problems (see #40). I don't know if I can conquer them eventually but I'll try my best. Meanwhile, as long as you have any testing scripts, I'm willing to execute them on my system to help locating the offending line.

I'm not going to use macOS on a "serious" web server. To me it's more of a development environment, where I can try out interesting libraries like this one.

[nalzok]

Closed for the same reason as for #40