Bug#537665: apache2.2-common: segfault in crc32 when using deflate since last security upgrade

[Nicolas Schodet <schodet-reportbug@ni.fr.eu.org>]

* Stefan Fritsch <sf@sfritsch.de> [2009-07-24 18:38]:
> >> > [Sun Jul 19 19:53:53 2009] [notice] child pid 12637 exit signal
> >> > Segmentation fault (11)
> >> I can't reproduce this. Please post your mod_deflate configuration.
> >> Thanks.
> > Here it is:
> Thanks. It didn't help me to reproduce the bug, though.
> > The server is getting about 30000 hits a day according to awstats,
> > but the bug is triggered only once or twice a day.
> And if the problem appears that rarely, I don't see much chance of
> that.
> Can you recompile the apache2 packages with the env variable
> DEB_BUILD_OPTIONS=nostrip set, install the recompiled packages and
> libapr1-dbg and libaprutil1-dbg, and libz-dbg, and generate another stack
> trace (with 'bt full' in gdb)?

There is no libz-dbg in etch.

Here is my last bt full with apache not stripped, libapr1-dbg and
libaprutil1-dbg:

(gdb) bt full
#0  0xb793d175 in crc32 () from /usr/lib/libz.so.1
No symbol table info available.
#1  0xb78834d5 in deflate_out_filter (f=0x85d6480, bb=0x85d63a8)
    at /home/nico/tmp/apache2-2.2.3/modules/filters/mod_deflate.c:537
        data = 0xb6567018 <Address 0xb6567018 out of bounds>
        b = <value optimized out>
        len = 625955
        done = <value optimized out>
        e = <value optimized out>
        r = (request_rec *) 0x858ed88
        ctx = (deflate_ctx *) 0x85d64e0
        zRC = <value optimized out>
#2  0xb755b7ce in php_ap2_register_hook () from /usr/lib/apache2/modules/libphp5.so
No symbol table info available.
#3  0x08074677 in ap_run_handler (r=0x858ed88)
    at /home/nico/tmp/apache2-2.2.3/server/config.c:158
        n = -1217153792
        rv = 1282601935
#4  0x08077821 in ap_invoke_handler (r=0x858ed88)
    at /home/nico/tmp/apache2-2.2.3/server/config.c:372
        handler = 0x82a9398 "application/x-httpd-php"
        result = <value optimized out>
        old_handler = 0x0
#5  0x08084908 in ap_process_request (r=0x858ed88)
    at /home/nico/tmp/apache2-2.2.3/modules/http/http_request.c:258
        access_status = 625955
#6  0x08081b7e in ap_process_http_connection (c=0x8546710)
    at /home/nico/tmp/apache2-2.2.3/modules/http/http_core.c:184
        r = (request_rec *) 0x858ed88
        csd = (apr_socket_t *) 0x0
#7  0x0807b4b7 in ap_run_process_connection (c=0x8546710)
    at /home/nico/tmp/apache2-2.2.3/server/connection.c:43
        n = 1
        rv = 1282601935
#8  0x0808892f in child_main (child_num_arg=<value optimized out>)
    at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:664
        numdesc = 1
        pdesc = (const apr_pollfd_t *) 0x8544618
        current_conn = (conn_rec *) 0x8546710
        csd = (void *) 0x8546578
        ptrans = (apr_pool_t *) 0x8546540
        allocator = (apr_allocator_t *) 0x85444b0
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = (apr_pollset_t *) 0x85445c8
        sbh = (ap_sb_handle_t *) 0x85445c0
        bucket_alloc = (apr_bucket_alloc_t *) 0x854a720
        last_poll_idx = 1
#9  0x08088c6a in make_child (s=0x80a48c0, slot=33)
    at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:761
        pid = 0
#10 0x0808959e in ap_mpm_run (_pconf=0x80a00d0, plog=0x80d2198, s=0x80a48c0)
    at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:896
        status = 0
        pid = {pid = -1, in = 0x809a260, out = 0x2, err = 0xa00d0}
        child_slot = <value optimized out>
        exitwhy = APR_PROC_EXIT
        processed_status = <value optimized out>
        index = <value optimized out>
        remaining_children_to_start = 0
        rv = <value optimized out>
#11 0x0806224f in main (argc=134865224, argv=0x80c3d38)
    at /home/nico/tmp/apache2-2.2.3/server/main.c:717
        exit_status = 0
        c = 0 '\0'
        configtestonly = 0
        confname = 0x808b7f3 "/etc/apache2/apache2.conf"
        def_server_root = 0x808f9ce ""
        temp_error_log = 0x0
        error = <value optimized out>
        process = (process_rec *) 0x809e148
        server_conf = <value optimized out>
        pglobal = (apr_pool_t *) 0x809e0c8
        pconf = (apr_pool_t *) 0x80a00d0
        plog = (apr_pool_t *) 0x80d2198
        ptemp = (apr_pool_t *) 0x80d91b0
        pcommands = (apr_pool_t *) 0x80a20d8
        opt = (apr_getopt_t *) 0x80a2170
        rv = 0
        optarg = 0xb7ae6976 "OPENSSL_ia32cap"

I suppose "data" pointer is supposed to be provided by "apr_bucket_read(e,
&data, &len, APR_BLOCK_READ);" in frame 1 on the line above.

This might be interresting:

(gdb) select 1
(gdb) p *r
$8 = {pool = 0x858ed50, connection = 0x8546710, server = 0x82cf458, next = 0x0,
  prev = 0x0, main = 0x0,
  the_request = 0x858fb70 "GET /sv3103/javascript/BundleJs.html HTTP/1.1",
  assbackwards = 0, proxyreq = 0, header_only = 0, protocol = 0x858fc40 "HTTP/1.1",
  proto_num = 1001, hostname = 0x8590058 "be.socompetent.com",
  request_time = 1248551974854163, status_line = 0x8091d73 "200 OK", status = 200,
  method = 0x858fbc0 "GET", method_number = 0, allowed = 0, allowed_xmethods = 0x0,
  allowed_methods = 0x858ef28, sent_bodyct = 1, bytes_sent = 97162, mtime = 0,
  chunked = 1, range = 0x0, clength = 0, remaining = 0, read_length = 0,
  read_body = 0, read_chunked = 0, expecting_100 = 0, headers_in = 0x858ef58,
  headers_out = 0x858f3e8, err_headers_out = 0x858f590, subprocess_env = 0x858f1a0,
  notes = 0x858f6e8, content_type = 0x85d6440 "application/x-javascript",
  handler = 0x82a9398 "application/x-httpd-php", content_encoding = 0x0,
  content_languages = 0x0, vlist_validator = 0x0, user = 0x0, ap_auth_type = 0x0,
  no_cache = 0, no_local_copy = 1,
  unparsed_uri = 0x858fbf0 "/sv3103/javascript/BundleJs.html",
  uri = 0x8590368 "/javascript/BundleJs.php",
  filename = 0x85904a8 "/home/www/socomp/site/javascript/BundleJs.php",
  canonical_filename = 0x85904a8 "/home/www/socomp/site/javascript/BundleJs.php",
  path_info = 0x859041d "", args = 0x0, finfo = {pool = 0x858ed50, valid = 7598448,
    protection = 1636, filetype = APR_REG, user = 1001, group = 1011, inode = 5531843,
    device = 2306, nlink = 1, size = 2672, csize = 0, atime = 1248551697000000,
    mtime = 1229510977000000, ctime = 1229510977000000,
    fname = 0x85903f0 "/home/www/socomp/site/javascript/BundleJs.php", name = 0x0,
    filehand = 0x0}, parsed_uri = {scheme = 0x0, hostinfo = 0x0, user = 0x0,
    password = 0x0, hostname = 0x0, port_str = 0x0,
    path = 0x858fc18 "/sv3103/javascript/BundleJs.html", query = 0x0, fragment = 0x0,
    hostent = 0x0, port = 0, is_initialized = 1, dns_looked_up = 0, dns_resolved = 0},
  used_path_info = 2, per_dir_config = 0x8590708, request_config = 0x858f840,
  htaccess = 0x0, output_filters = 0x85d64a0, input_filters = 0x8590070,
  proto_output_filters = 0x858fb08, proto_input_filters = 0x8590070, eos_sent = 1}

Web site devellopers are doing black magic with the rewrite engine.

Nicolas.