Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91621 - apache-2.0.54 with peruser-mpm segfaults while some modules (I tested webdav only) are enabled
Summary: apache-2.0.54 with peruser-mpm segfaults while some modules (I tested webdav ...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Apache Team - Bugzilla Reports
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-05 15:22 UTC by Andrew B. Panfilov
Modified: 2005-05-05 18:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew B. Panfilov 2005-05-05 15:22:41 UTC
After apache changes in core_input_filter (see changelog http://www.apache.org/dist/httpd/CHANGES_2.0.54)
apache (peruser-mpm) segfaults when trying to connect by webdav.
I know that peruser-mpm is not supported, but may be it is necessary to wait
official patch for apache-2.0.54 ?


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
=== apache configs ==========
<IfModule peruser.c>
    MinSpareServers     2
    MaxProcessors       1
    MaxClients          150
    MaxRequestsPerChild 0
    ExpireTimeout       1800
    Multiplexer apache apache
    Processor user users
</IfModule>

<VirtualHost *>
    ..............
    Alias /webdav "/var/www/domain.tld"
    <Location /webdav>
        Dav filesystem
        ForceType application/octet-stream
    </Location>
    ServerEnvironment user users
</VirtualHost>
================================

(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212716192 (LWP 31678)]
0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at core.c:3691
3691            APR_RING_SPLICE_HEAD(&a->list, e, f, apr_bucket, link);
(gdb) bt
#0  0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at
core.c:3691
#1  0x08082da9 in core_input_filter (f=0x830a978, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489) at
core.c:3881
#2  0x0807a95a in ap_get_brigade (next=0x830a978, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#3  0x08062c8a in ap_http_filter (f=0x8317a58, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489)
    at http_protocol.c:980
#4  0x0807a95a in ap_get_brigade (next=0x8317a58, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#5  0x08082955 in net_time_filter (f=0x83175c8, b=0x4,
mode=AP_MODE_READBYTES, block=4, readbytes=2048) at core.c:3657
#6  0x0807a95a in ap_get_brigade (next=0x83175c8, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#7  0x08088681 in ap_xml_parse_input (r=0x8316940, pdoc=0xbfffdd78) at
util_xml.c:52
#8  0xb7add11b in dav_add_response () from
/usr/lib/apache2/modules/mod_dav.so
#9  0x081adfa8 in ?? ()
#10 0x081bb800 in ?? ()
(gdb) bt full
#0  0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at
core.c:3691
        f = (apr_bucket *) 0x8310910
#1  0x08082da9 in core_input_filter (f=0x830a978, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489) at
core.c:3881
        e = (apr_bucket *) 0x8310968
        e = (apr_bucket *) 0x4
        rv = 137431312
        net = (core_net_rec *) 0x83109c0
        ctx = (core_ctx_t *) 0x830a9a8
        str = 0x8312908 "<?xml version=\"1.0\" encoding=\"UTF-8\"
?>\r\n<a:propfind xmlns:a=\"DAV:\"
xmlns:b=\"urn:schemas-microsoft-com:datatypes\">\r\n<a:prop>\r\n<a:name/>\r\n<a:parentname/>\r\n<a:href/>\r\n<a:ishidden/>\r\n<a:isreadonly/>\r\n<a:"...
        len = 489
#2  0x0807a95a in ap_get_brigade (next=0x830a978, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#3  0x08062c8a in ap_http_filter (f=0x8317a58, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489)
    at http_protocol.c:980
        e = (apr_bucket *) 0x8310910
        ctx = (http_ctx_t *) 0x83184f8
        rv = -1212716224
        totalread = 3084154324
#4  0x0807a95a in ap_get_brigade (next=0x8317a58, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#5  0x08082955 in net_time_filter (f=0x83175c8, b=0x4,
mode=AP_MODE_READBYTES, block=4, readbytes=2048) at core.c:3657
        ctx = (net_time_filter_ctx_t *) 0x8317648
        keptalive = 0
#6  0x0807a95a in ap_get_brigade (next=0x83175c8, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#7  0x08088681 in ap_xml_parse_input (r=0x8316940, pdoc=0xbfffdd78) at
util_xml.c:52
        bucket = (apr_bucket *) 0xb7aec5ec
        parser = (apr_xml_parser *) 0x8318478
        brigade = (apr_bucket_brigade *) 0x83184d8
        seen_eos = 0
        status = 4
        errbuf =
"|j1\b&#1093;&#1101;nB0j1\b&#9563;D&#1089;&#9573;&#9559;&#1098;\032\b(\005\e\b\000\000\000\000\220E&#1089;&#9573;\000\000\000\000B~1\b!\000\000\000L0&#1089;&#9573;I\2041\bA~1\b\000\000\000\000\000\000\000\000&#1058;&#1101;&#1066;
Comment 1 Andrew B. Panfilov 2005-05-05 15:22:41 UTC
After apache changes in core_input_filter (see changelog http://www.apache.org/dist/httpd/CHANGES_2.0.54)
apache (peruser-mpm) segfaults when trying to connect by webdav.
I know that peruser-mpm is not supported, but may be it is necessary to wait
official patch for apache-2.0.54 ?


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
=== apache configs ==========
<IfModule peruser.c>
    MinSpareServers     2
    MaxProcessors       1
    MaxClients          150
    MaxRequestsPerChild 0
    ExpireTimeout       1800
    Multiplexer apache apache
    Processor user users
</IfModule>

<VirtualHost *>
    ..............
    Alias /webdav "/var/www/domain.tld"
    <Location /webdav>
        Dav filesystem
        ForceType application/octet-stream
    </Location>
    ServerEnvironment user users
</VirtualHost>
================================

(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212716192 (LWP 31678)]
0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at core.c:3691
3691            APR_RING_SPLICE_HEAD(&a->list, e, f, apr_bucket, link);
(gdb) bt
#0  0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at
core.c:3691
#1  0x08082da9 in core_input_filter (f=0x830a978, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489) at
core.c:3881
#2  0x0807a95a in ap_get_brigade (next=0x830a978, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#3  0x08062c8a in ap_http_filter (f=0x8317a58, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489)
    at http_protocol.c:980
#4  0x0807a95a in ap_get_brigade (next=0x8317a58, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#5  0x08082955 in net_time_filter (f=0x83175c8, b=0x4,
mode=AP_MODE_READBYTES, block=4, readbytes=2048) at core.c:3657
#6  0x0807a95a in ap_get_brigade (next=0x83175c8, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
#7  0x08088681 in ap_xml_parse_input (r=0x8316940, pdoc=0xbfffdd78) at
util_xml.c:52
#8  0xb7add11b in dav_add_response () from
/usr/lib/apache2/modules/mod_dav.so
#9  0x081adfa8 in ?? ()
#10 0x081bb800 in ?? ()
(gdb) bt full
#0  0x0808298f in brigade_move (b=0x8310910, a=0x0, e=0x8310968) at
core.c:3691
        f = (apr_bucket *) 0x8310910
#1  0x08082da9 in core_input_filter (f=0x830a978, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489) at
core.c:3881
        e = (apr_bucket *) 0x8310968
        e = (apr_bucket *) 0x4
        rv = 137431312
        net = (core_net_rec *) 0x83109c0
        ctx = (core_ctx_t *) 0x830a9a8
        str = 0x8312908 "<?xml version=\"1.0\" encoding=\"UTF-8\"
?>\r\n<a:propfind xmlns:a=\"DAV:\"
xmlns:b=\"urn:schemas-microsoft-com:datatypes\">\r\n<a:prop>\r\n<a:name/>\r\n<a:parentname/>\r\n<a:href/>\r\n<a:ishidden/>\r\n<a:isreadonly/>\r\n<a:"...
        len = 489
#2  0x0807a95a in ap_get_brigade (next=0x830a978, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#3  0x08062c8a in ap_http_filter (f=0x8317a58, b=0x83184d8,
mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=489)
    at http_protocol.c:980
        e = (apr_bucket *) 0x8310910
        ctx = (http_ctx_t *) 0x83184f8
        rv = -1212716224
        totalread = 3084154324
#4  0x0807a95a in ap_get_brigade (next=0x8317a58, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#5  0x08082955 in net_time_filter (f=0x83175c8, b=0x4,
mode=AP_MODE_READBYTES, block=4, readbytes=2048) at core.c:3657
        ctx = (net_time_filter_ctx_t *) 0x8317648
        keptalive = 0
#6  0x0807a95a in ap_get_brigade (next=0x83175c8, bb=0x4,
mode=AP_MODE_EXHAUSTIVE, block=4, readbytes=137431488) at
util_filter.c:475
No locals.
#7  0x08088681 in ap_xml_parse_input (r=0x8316940, pdoc=0xbfffdd78) at
util_xml.c:52
        bucket = (apr_bucket *) 0xb7aec5ec
        parser = (apr_xml_parser *) 0x8318478
        brigade = (apr_bucket_brigade *) 0x83184d8
        seen_eos = 0
        status = 4
        errbuf =
"|j1\b&#1093;&#1101;nB0j1\b&#9563;D&#1089;&#9573;&#9559;&#1098;\032\b(\005\e\b\000\000\000\000\220E&#1089;&#9573;\000\000\000\000B~1\b!\000\000\000L0&#1089;&#9573;I\2041\bA~1\b\000\000\000\000\000\000\000\000&#1058;&#1101;&#1066;©\000&#1097;&#1066;©\002\000\000\000(\2041\b!\000\000\000\000\000\000\000&#1066;&#1066;&#1066;&#1066;\000\000\000\000&#1066;&#1066;&#1066;&#1066;\000\000\000\000\000\000\000\000y&#9553;&#9564;&#9573;\200\2011\b`&#1093;&#9565;&#9573;&#1051;&#1077;&#9565;&#9573;©&#9553;&#9564;&#9573;@i1\bJ\2041\bD\000\000\000`Z&#1090;&#9573;Xl1\bTPEDXl1\b&#9570;I&#1089;&#9573;\030x1\b&#1087;k&#9565;&#9573;1\000\000\000&#1051;&#1077;&#9565;&#9573;\037x1\b@i1\b@i1\b&#1058;&#9562;&#9564;&#9573;\037x1\b&#1078;k&#9565;&#9573;"
        total_read = 0
        limit_xml_body = 1000000
        result = 400
#8  0xb7add11b in dav_add_response () from
/usr/lib/apache2/modules/mod_dav.so
No symbol table info available.
#9  0x081adfa8 in ?? ()
No symbol table info available.
#10 0x081bb800 in ?? ()
No symbol table info available.
(gdb)
Comment 2 Paul Querna 2005-05-05 18:05:18 UTC
I took a look at the code, and it is a peruser problem.

In the peruser_process_connection() function, they wrongly fill the core_input_fitler's context.  This context is a private structure and should not be created with the method they used.

Yes, this structure was changed in 2.0.54, to fix a bug.  Peruser needs to fix this UPSTREAM.