search

openwrt / uhttpd

[MIRROR] Tiny HTTP server
https://git.openwrt.org/?p=project/uhttpd.git;
9 stars 6 forks source link

SIGSEGV in uhttpd when subscribed to ubus messages over HTTP #1

Open ignisf opened 1 year ago

ignisf commented 1 year ago

Describe the bug

Subscribing to ubus events over HTTP causes regular reproducible crashes of uhttpd with SIGSEGV.

OpenWrt version

r19803-9a599fee93

OpenWrt target/subtarget

ramips/mt7621

Device

TP-Link EAP615-Wall v1

Image kind

Self-built image

Steps to reproduce

  1. Create /usr/share/rpcd/acl.d/repro.json: 
    {
    "repro": {
        "description": "Access to misc data",
        "read": {
            "ubus": {
                "hostapd.*": [ ":subscribe" ]
            }
        },
        "write": {}
    }
}
  2. In a terminal window, call export SESSIONID=$(curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "root", "password": "<YOUR ROOT OPENWRT PASWORD>", "timeout": 0 } ] }' http://lego/ubus | jq -r .result[1].ubus_rpc_session)
  3. In the same window, call curl -v -H "authorization: Bearer $SESSIONID" http://lego/ubus/subscribe/hostapd.wlan0
  4. Wait

Actual behaviour

After some time, curl closes the connection. The following is indicated by the OpenWrt device's dmesg output:

[171387.727896] do_page_fault(): sending SIGSEGV to uhttpd for invalid read access from 00000000
[171387.736438] epc = 77af5217 in libubus.so.20220601[77af4000+13000]
[171387.742660] ra  = 77df1033 in libubox.so.20220515[77def000+18000]

Expected behaviour

No SIGSEGV.

Additional info

No response

Diffconfig

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_tplink_eap615-wall-v1=y
CONFIG_DEVEL=y
CONFIG_BPF_TOOLCHAIN_BUILD_LLVM=y
# CONFIG_BPF_TOOLCHAIN_NONE is not set
CONFIG_BWMNG_EXTENDEDSTATS=y
CONFIG_BWMNG_TIME=y
CONFIG_HAS_BPF_TOOLCHAIN=y
CONFIG_IMAGEOPT=y
# CONFIG_KERNEL_DEBUG_INFO is not set
# CONFIG_KERNEL_DEBUG_KERNEL is not set
# CONFIG_KERNEL_KALLSYMS is not set
CONFIG_PACKAGE_ath10k-board-qca988x=y
CONFIG_PACKAGE_ath10k-firmware-qca988x=y
CONFIG_PACKAGE_bmon=y
CONFIG_PACKAGE_bwm-ng=y
CONFIG_PACKAGE_cgi-io=y
CONFIG_PACKAGE_confuse=y
# CONFIG_PACKAGE_dnsmasq is not set
CONFIG_PACKAGE_ethtool=y
CONFIG_PACKAGE_iperf3=y
CONFIG_PACKAGE_libiwinfo-lua=y
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-lua=y
CONFIG_PACKAGE_libncurses=y
CONFIG_PACKAGE_libnl-core=y
CONFIG_PACKAGE_libnl-route=y
CONFIG_PACKAGE_libpcap=y
CONFIG_PACKAGE_libubus-lua=y
CONFIG_PACKAGE_lua=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_luci-app-firewall=y
CONFIG_PACKAGE_luci-app-opkg=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-lib-base=y
CONFIG_PACKAGE_luci-lib-ip=y
CONFIG_PACKAGE_luci-lib-jsonc=y
CONFIG_PACKAGE_luci-lib-nixio=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-proto-ipv6=y
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rrdns=y
CONFIG_PACKAGE_tcpdump-mini=y
CONFIG_PACKAGE_terminfo=y
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
CONFIG_PACKAGE_usteer=y
CONFIG_PACKAGE_wpad-basic-wolfssl=m
CONFIG_PACKAGE_wpad-wolfssl=y
CONFIG_REPRODUCIBLE_DEBUG_INFO=y
CONFIG_SDK_LLVM_BPF=y
CONFIG_USE_LLVM_BUILD=y
CONFIG_VERSIONOPT=y
CONFIG_VERSION_BUG_URL=""
CONFIG_VERSION_CODE=""
CONFIG_VERSION_DIST="OpenWrt"
CONFIG_VERSION_FILENAMES=y
CONFIG_VERSION_HOME_URL=""
CONFIG_VERSION_HWREV=""
CONFIG_VERSION_MANUFACTURER=""
CONFIG_VERSION_MANUFACTURER_URL=""
CONFIG_VERSION_NUMBER=""
CONFIG_VERSION_PRODUCT=""
CONFIG_VERSION_REPO="https://downloads.openwrt.org/releases/22.03.2"
CONFIG_VERSION_SUPPORT_URL=""

Terms