Bug#537665: apache2.2-common: segfault in crc32 when using deflate since last security upgrade
* Stefan Fritsch <sf@sfritsch.de> [2009-07-24 18:38]:
> >> > [Sun Jul 19 19:53:53 2009] [notice] child pid 12637 exit signal
> >> > Segmentation fault (11)
> >> I can't reproduce this. Please post your mod_deflate configuration.
> >> Thanks.
> > Here it is:
> Thanks. It didn't help me to reproduce the bug, though.
> > The server is getting about 30000 hits a day according to awstats,
> > but the bug is triggered only once or twice a day.
> And if the problem appears that rarely, I don't see much chance of
> that.
> Can you recompile the apache2 packages with the env variable
> DEB_BUILD_OPTIONS=nostrip set, install the recompiled packages and
> libapr1-dbg and libaprutil1-dbg, and libz-dbg, and generate another stack
> trace (with 'bt full' in gdb)?
There is no libz-dbg in etch.
Here is my last bt full with apache not stripped, libapr1-dbg and
libaprutil1-dbg:
(gdb) bt full
#0 0xb793d175 in crc32 () from /usr/lib/libz.so.1
No symbol table info available.
#1 0xb78834d5 in deflate_out_filter (f=0x85d6480, bb=0x85d63a8)
at /home/nico/tmp/apache2-2.2.3/modules/filters/mod_deflate.c:537
data = 0xb6567018 <Address 0xb6567018 out of bounds>
b = <value optimized out>
len = 625955
done = <value optimized out>
e = <value optimized out>
r = (request_rec *) 0x858ed88
ctx = (deflate_ctx *) 0x85d64e0
zRC = <value optimized out>
#2 0xb755b7ce in php_ap2_register_hook () from /usr/lib/apache2/modules/libphp5.so
No symbol table info available.
#3 0x08074677 in ap_run_handler (r=0x858ed88)
at /home/nico/tmp/apache2-2.2.3/server/config.c:158
n = -1217153792
rv = 1282601935
#4 0x08077821 in ap_invoke_handler (r=0x858ed88)
at /home/nico/tmp/apache2-2.2.3/server/config.c:372
handler = 0x82a9398 "application/x-httpd-php"
result = <value optimized out>
old_handler = 0x0
#5 0x08084908 in ap_process_request (r=0x858ed88)
at /home/nico/tmp/apache2-2.2.3/modules/http/http_request.c:258
access_status = 625955
#6 0x08081b7e in ap_process_http_connection (c=0x8546710)
at /home/nico/tmp/apache2-2.2.3/modules/http/http_core.c:184
r = (request_rec *) 0x858ed88
csd = (apr_socket_t *) 0x0
#7 0x0807b4b7 in ap_run_process_connection (c=0x8546710)
at /home/nico/tmp/apache2-2.2.3/server/connection.c:43
n = 1
rv = 1282601935
#8 0x0808892f in child_main (child_num_arg=<value optimized out>)
at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:664
numdesc = 1
pdesc = (const apr_pollfd_t *) 0x8544618
current_conn = (conn_rec *) 0x8546710
csd = (void *) 0x8546578
ptrans = (apr_pool_t *) 0x8546540
allocator = (apr_allocator_t *) 0x85444b0
status = <value optimized out>
i = <value optimized out>
lr = <value optimized out>
pollset = (apr_pollset_t *) 0x85445c8
sbh = (ap_sb_handle_t *) 0x85445c0
bucket_alloc = (apr_bucket_alloc_t *) 0x854a720
last_poll_idx = 1
#9 0x08088c6a in make_child (s=0x80a48c0, slot=33)
at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:761
pid = 0
#10 0x0808959e in ap_mpm_run (_pconf=0x80a00d0, plog=0x80d2198, s=0x80a48c0)
at /home/nico/tmp/apache2-2.2.3/server/mpm/prefork/prefork.c:896
status = 0
pid = {pid = -1, in = 0x809a260, out = 0x2, err = 0xa00d0}
child_slot = <value optimized out>
exitwhy = APR_PROC_EXIT
processed_status = <value optimized out>
index = <value optimized out>
remaining_children_to_start = 0
rv = <value optimized out>
#11 0x0806224f in main (argc=134865224, argv=0x80c3d38)
at /home/nico/tmp/apache2-2.2.3/server/main.c:717
exit_status = 0
c = 0 '\0'
configtestonly = 0
confname = 0x808b7f3 "/etc/apache2/apache2.conf"
def_server_root = 0x808f9ce ""
temp_error_log = 0x0
error = <value optimized out>
process = (process_rec *) 0x809e148
server_conf = <value optimized out>
pglobal = (apr_pool_t *) 0x809e0c8
pconf = (apr_pool_t *) 0x80a00d0
plog = (apr_pool_t *) 0x80d2198
ptemp = (apr_pool_t *) 0x80d91b0
pcommands = (apr_pool_t *) 0x80a20d8
opt = (apr_getopt_t *) 0x80a2170
rv = 0
optarg = 0xb7ae6976 "OPENSSL_ia32cap"
I suppose "data" pointer is supposed to be provided by "apr_bucket_read(e,
&data, &len, APR_BLOCK_READ);" in frame 1 on the line above.
This might be interresting:
(gdb) select 1
(gdb) p *r
$8 = {pool = 0x858ed50, connection = 0x8546710, server = 0x82cf458, next = 0x0,
prev = 0x0, main = 0x0,
the_request = 0x858fb70 "GET /sv3103/javascript/BundleJs.html HTTP/1.1",
assbackwards = 0, proxyreq = 0, header_only = 0, protocol = 0x858fc40 "HTTP/1.1",
proto_num = 1001, hostname = 0x8590058 "be.socompetent.com",
request_time = 1248551974854163, status_line = 0x8091d73 "200 OK", status = 200,
method = 0x858fbc0 "GET", method_number = 0, allowed = 0, allowed_xmethods = 0x0,
allowed_methods = 0x858ef28, sent_bodyct = 1, bytes_sent = 97162, mtime = 0,
chunked = 1, range = 0x0, clength = 0, remaining = 0, read_length = 0,
read_body = 0, read_chunked = 0, expecting_100 = 0, headers_in = 0x858ef58,
headers_out = 0x858f3e8, err_headers_out = 0x858f590, subprocess_env = 0x858f1a0,
notes = 0x858f6e8, content_type = 0x85d6440 "application/x-javascript",
handler = 0x82a9398 "application/x-httpd-php", content_encoding = 0x0,
content_languages = 0x0, vlist_validator = 0x0, user = 0x0, ap_auth_type = 0x0,
no_cache = 0, no_local_copy = 1,
unparsed_uri = 0x858fbf0 "/sv3103/javascript/BundleJs.html",
uri = 0x8590368 "/javascript/BundleJs.php",
filename = 0x85904a8 "/home/www/socomp/site/javascript/BundleJs.php",
canonical_filename = 0x85904a8 "/home/www/socomp/site/javascript/BundleJs.php",
path_info = 0x859041d "", args = 0x0, finfo = {pool = 0x858ed50, valid = 7598448,
protection = 1636, filetype = APR_REG, user = 1001, group = 1011, inode = 5531843,
device = 2306, nlink = 1, size = 2672, csize = 0, atime = 1248551697000000,
mtime = 1229510977000000, ctime = 1229510977000000,
fname = 0x85903f0 "/home/www/socomp/site/javascript/BundleJs.php", name = 0x0,
filehand = 0x0}, parsed_uri = {scheme = 0x0, hostinfo = 0x0, user = 0x0,
password = 0x0, hostname = 0x0, port_str = 0x0,
path = 0x858fc18 "/sv3103/javascript/BundleJs.html", query = 0x0, fragment = 0x0,
hostent = 0x0, port = 0, is_initialized = 1, dns_looked_up = 0, dns_resolved = 0},
used_path_info = 2, per_dir_config = 0x8590708, request_config = 0x858f840,
htaccess = 0x0, output_filters = 0x85d64a0, input_filters = 0x8590070,
proto_output_filters = 0x858fb08, proto_input_filters = 0x8590070, eos_sent = 1}
Web site devellopers are doing black magic with the rewrite engine.
Nicolas.
Reply to: