Skip to content

bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle i…#2485

Merged
zhuizhuhaomeng merged 2 commits intoopenresty:masterfrom
oowl:fix-ssl-crash
Mar 17, 2026
Merged

bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle i…#2485
zhuizhuhaomeng merged 2 commits intoopenresty:masterfrom
oowl:fix-ssl-crash

Conversation

@oowl
Copy link
Contributor

@oowl oowl commented Mar 16, 2026

…s set

I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.

If you use Resty in this way in the new 1.29.2 OpenResty

 resty --nginx ./buildroot/nginx-1.29.4/objs/nginx --http-conf 'lua_ssl_trusted_certificate cert.pem;' -e "print(ngx.now())"

it will crash with follow backtrace

#0  0x00005634daf4399e in ngx_ssl_cache_fetch (cf=cf@entry=0x7fffa125ee70, index=index@entry=0x3, err=err@entry=0x7fffa125ed80, 
    path=path@entry=0x5634f974e128, data=<optimized out>, data@entry=0x0) at src/event/ngx_event_openssl_cache.c:250
250         old_cache = ngx_ssl_cache_get_old_conf(cf->cycle);
gdb-peda$ bt
#0  0x00005634daf4399e in ngx_ssl_cache_fetch (cf=cf@entry=0x7fffa125ee70, index=index@entry=0x3, err=err@entry=0x7fffa125ed80, 
    path=path@entry=0x5634f974e128, data=<optimized out>, data@entry=0x0) at src/event/ngx_event_openssl_cache.c:250
#1  0x00005634daf3c8d4 in ngx_ssl_trusted_certificate (cf=cf@entry=0x7fffa125ee70, ssl=0x5634f974d7e0, 
    cert=cert@entry=0x5634f974e128, depth=0x1) at src/event/ngx_event_openssl.c:1074
#2  0x00005634db024fc1 in ngx_http_lua_set_ssl (cf=0x7fffa125ee70, llcf=0x5634f974e0f0)
    at /home/owl/work/openresty/lua-nginx-module/src/ngx_http_lua_module.c:1878
#3  ngx_http_lua_merge_loc_conf (cf=0x7fffa125ee70, parent=0x5634f96c7470, child=0x5634f974e0f0)
    at /home/owl/work/openresty/lua-nginx-module/src/ngx_http_lua_module.c:1727
#4  0x00005634db049bc1 in ngx_http_lua_init_worker (cycle=0x5634f96a4480)
    at /home/owl/work/openresty/lua-nginx-module/src/ngx_http_lua_initworkerby.c:251
#5  0x00005634daf355e2 in ngx_single_process_cycle (cycle=cycle@entry=0x5634f96a4480) at src/os/unix/ngx_process_cycle.c:299
#6  0x00005634daf07151 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:384
#7  0x00007fee82c366c1 in __libc_start_call_main (main=main@entry=0x5634daf065d8 <main>, argc=argc@entry=0x7, 
    argv=argv@entry=0x7fffa125f478) at ../sysdeps/nptl/libc_start_call_main.h:59
#8  0x00007fee82c367f9 in __libc_start_main_impl (main=0x5634daf065d8 <main>, argc=0x7, argv=0x7fffa125f478, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffa125f468) at ../csu/libc-start.c:360
#9  0x00005634daf05765 in _start ()

Reason
ngx_ssl_trusted_certificate in 1.27.1 directly called SSL_CTX_load_verify_locations, with no SSL cache layer. The ngx_ssl_cache_fetch / ngx_openssl_cache_module is new in nginx 1.27.2. nginx/nginx#140

Call chain that triggers the crash:

Call chain that triggers the crash:

  1. ngx_init_cycle() completes → sets cycle->old_cycle = NULL (ngx_cycle.c:785)
  2. ngx_single_process_cycle → ngx_http_lua_init_worker
  3. ngx_http_lua_init_worker creates a fake_cycle via ngx_memcpy(fake_cycle, cycle, ...) --- so fake_cycle->old_cycle = NULL
  4. Calls merge_loc_conf with a conf pointing to the fake_cycle
  5. ngx_http_lua_set_ssl → ngx_ssl_trusted_certificate (nginx 1.29.2 now uses ngx_ssl_cache_fetch)
  6. ngx_ssl_cache_fetch calls the macro ngx_ssl_cache_get_old_conf(cf->cycle):
// ngx_event_openssl_cache.c:28-30
#define ngx_ssl_cache_get_old_conf(cycle)\
    cycle->old_cycle->conf_ctx ? ngx_ssl_cache_get_conf(cycle->old_cycle)\
                               : NULL

cycle->old_cycle is NULLNULL->conf_ctxSIGSEGV

Copilot AI review requested due to automatic review settings March 16, 2026 16:12
@oowl
Copy link
Contributor Author

oowl commented Mar 16, 2026

I don't know how to write a test for this, as this issue seems to occur only in the context of Resty. cc @zhuizhuhaomeng

Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a startup crash in init_worker_by_lua* on newer nginx/OpenResty builds by ensuring the temporary “fake” cycle used during config merging has a non-NULL old_cycle, preventing a NULL dereference in nginx’s SSL cache path.

Changes:

  • Ensure fake_cycle->old_cycle is set when NULL to avoid old_cycle->conf_ctx dereference during merge_loc_conf/ngx_ssl_trusted_certificate.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

src/ngx_http_lua_initworkerby.c Outdated
Comment on lines +124 to +128
* conf_ctx, so cert lookups will still find previously loaded entries.
*/
if (fake_cycle->old_cycle == NULL) {
fake_cycle->old_cycle = cycle;
}
@zhuizhuhaomeng zhuizhuhaomeng merged commit 4512547 into openresty:master Mar 17, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zhuizhuhaomeng zhuizhuhaomeng zhuizhuhaomeng approved these changes

Assignees

No one assigned

Labels

needs-test-cases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oowl @zhuizhuhaomeng