Segfault Error with Mod_Security Module Enabled

#1
Hi,
The bug is described below, thanks!

Description: Openlitspeed crashed with segfault error in system log when mod_security is on configured with OWASP CSR3 rules.

System Details:
OS: Debian GNU/Linux 9.5
OpenLiteSpeed VERSION: 1.4.34-1+stretch (from apt repository)
*LiteSpeed ModSecurity Module enabled

Configuration File:

1. Openlitespeed ModSecurity Module Configuration
Code:
module mod_security {
modsecurity  on
modsecurity_rules `
            SecRuleEngine On
            Include /usr/local/lsws/modsecurity/owasp-modsecurity-crs/crs-setup.conf
            Include /usr/local/lsws/modsecurity/owasp-modsecurity-crs/rules/*.conf
        `
}
Log File:

1. Openlitespeed error log before crash:​

https://drive.google.com/file/d/1b08eLurNTpHpeSCeqjR6vAt7A3Nuwx18/view?usp=sharing

2. System Log:
Code:
[57249.419728] litespeed[7573]: segfault at 7fff89177000 ip 0000559998f0e2e8 sp 00007fff891701f8 error 6 in openlitespeed[559998dbb000+353000]
[57253.621396] litespeed[7808]: segfault at 7fffd40c4000 ip 000055c90abe72e8 sp 00007fffd40bd058 error 6 in openlitespeed[55c90aa94000+353000]

Thanks,
Brian
 
#2
Hi Brian,

Please make sure you build the module and openlitespeed with the same source code.
It seems the module is not loaded correctly.

Thanks.
David
 
Top