Nmap Development mailing list archives

Re: Built-in authentication for http.lua

From: David Fifield <david () bamsoftware com>
Date: Thu, 23 Sep 2010 09:35:50 -0700

On Thu, Sep 23, 2010 at 01:11:32AM -0400, Patrick Donnelly wrote:

Hi David,
On Wed, Sep 22, 2010 at 4:59 PM, David Fifield <david () bamsoftware com> wrote:

On Fri, Aug 13, 2010 at 03:09:52PM -0400, Patrick Donnelly wrote:

On Fri, Aug 13, 2010 at 2:50 PM, Patrick Donnelly <batrick () batbytes com> wrote:

On Thu, Aug 12, 2010 at 4:54 PM, David Fifield <david () bamsoftware com> wrote:

Patrick, do you have an idea why this is happening? I attached the patch
that I used to diagnose it. The telltale parts are


I'm not sure after a cursory glance, no. I don't know how those
threads are still running insert_cache after their destructors are
called.


Oh, it seems that isn't what is happening. (Threads are *not* running
insert_cache after having been destroyed/closed.) I'll look at this
more later but in the mean time I suggest upping the debug level and
printing the thread pointer in all debug output.


I think there's a bug somewhere but I can't find it. I've been running
http-brute with just two threads. Somehow, when one of the worker
threads dies, it is calling the destructor (aux_mutex_done) of the other
thread.

For example, my two worker threads are:

NSE: 'http-brute' (thread: 0x1c96830) spawning new thread (thread: 0x1cc5af0).
NSE: 'http-brute' (thread: 0x1c96830) spawning new thread (thread: 0x1cc6610).

0x1cc5af0 is the first to finish when the unpwdb limit expires. I added
debug code to print the thread pointers in Thread:close and
aux_mutex_done. "->" is function entry and "<-" is function exit.

NSE: Finished 'http-brute' worker (thread: 0x1cc5af0) against 127.0.0.1:80.
NSE: Thread:close -> 'http-brute' worker (thread: 0x1cc5af0)
NSE: destructor -> 'http-brute' worker (thread: 0x1cc5af0) function: 0x1c374e0
NSE: destructor <- 'http-brute' worker (thread: 0x1cc5af0) function: 0x1c374e0
NSE: destructor -> 'http-brute' worker (thread: 0x1cc5af0) table: 0x1c35640
mutex done aux_mutex_done 0x1cc6610
0x1cc6610 mutex("done")
nse_destructor 0x1cc6610 'r'
_R[DESTRUCTOR]: 'http-brute' worker (thread: 0x1cc6610) or 'http-brute' worker (thread: 0x1cc6610) or 'http-brute' 
worker (thread: 0x1cc5af0) -> 'http-brute' worker (thread: 0x1cc6610)
NSE: destructor <- 'http-brute' worker (thread: 0x1cc5af0) table: 0x1c35640
NSE: Thread:close <- 'http-brute' worker (thread: 0x1cc5af0)

See how even though it is 0x1cc5af0 that is ending, aux_mutex_done is
begin called on the other thread, 0x1cc6610. This causes an error later
when 0x1cc6610 releases its insert_cache mutex:

mutex done insert_cache
0x1cc6610 mutex("done")
NSE: 'http-brute' worker (thread: 0x1cc6610) against 127.0.0.1:80 threw an error!
./nselib/http.lua:877: 0x1cc6610 do not have a lock on this mutex
stack traceback:
       [C]: in function 'mutex'
       ./nselib/http.lua:877: in function 'insert_cache'
       ./nselib/http.lua:1037: in function 'get'
       ./scripts/http-brute.nse:67: in function 'login'
       ./nselib/brute.lua:490: in function 'doAuthenticate'
       ./nselib/brute.lua:522: in function 'main'
       ./nse_main.lua:690: in function <./nse_main.lua:690>

NSE: Thread:close -> 'http-brute' worker (thread: 0x1cc6610)
NSE: Thread:close <- 'http-brute' worker (thread: 0x1cc6610)

I attached the patch I'm using to generate this output. I don't
understand nse_main.lua well enough to know what's going on here.
Patrick, is this expected that one thread will call another thread's
destructor? The thread on which to call the destructor comes from the
yielded_base table; what's the purpose of this table?

A recipe for testing locally is at http://seclists.org/nmap-dev/2010/q3/372.


Ah, this was a rather subtle bug. Apparently we (that is, I) forgot to
add the close_handlers field to the worker thread. Since all absent
fields in the worker Thread table index the parent, both threads use
the close_handler table of the parent which spawned the workers. The
reason this isn't noticed until one thread exists is because when the
thread X that is about to finish removes its (X's) destructor, it then
adds the other thread's (Y's) destructor (within the aux_mutex
function). Because they share the same destructor table, when X calls
each of its destructors it accidentally calls Y's destructor.


Excellent, thanks for your help. I applied your patch and removed the
one-thread restriction in http-brute.nse.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Built-in authentication for http.lua David Fifield (Jul 21)
- Re: Built-in authentication for http.lua David Fifield (Jul 25)
  - Re: Built-in authentication for http.lua Patrik Karlsson (Jul 31)
    - Re: Built-in authentication for http.lua David Fifield (Aug 12)
    - Re: Built-in authentication for http.lua Patrick Donnelly (Aug 13)
    - Re: Built-in authentication for http.lua Patrick Donnelly (Aug 13)
    - Re: Built-in authentication for http.lua David Fifield (Sep 22)
    - Re: Built-in authentication for http.lua Patrick Donnelly (Sep 22)
    - Re: Built-in authentication for http.lua David Fifield (Sep 23)