| Summary: | Cannot start apache server with ZendOptimizer and glibc-2.9 on hardened | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Miroslav Šulc <fordfrog> |
| Component: | [OLD] Server | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | hollow, james, shpac, skunk |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Miroslav Šulc
2009-08-05 13:53:36 UTC
just a note, i think the problem is zend optimizer is not compatible with glibc-2.9 as this happened to me even before with new releases of glibc and slacking releases of zend optimizer that would work with new glibc. I think I recall a comment saying that php upstream is aware that >=php-5.2.10 are incompatible with ZendOptimizer. thx, i found that info: http://forums.zend.com/viewtopic.php?f=57&t=1655 tried to downgrade php to 5.2.9-r2 but did not help :-( i searched the logs again and found this: Aug 5 23:02:31 titan apache2[6763]: segfault at 50d51ed0 ip 50d3c6d3 sp 5b598500 error 7 in ld-2.9.so[50d35000+1c000] Aug 5 23:02:31 titan grsec: From xxx.xxx.xxx.xxx: signal 11 sent to /usr/sbin/apache2[apache2:6763] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Please paste the output of 'emerge --info' into a bugzilla comment to assist the maintainers in resolving this issue (In reply to comment #5) > Please paste the output of 'emerge --info' into a bugzilla comment to assist > the maintainers in resolving this issue > Ignore this please, what I do need however is the sequence of emerges you did. Did you emerge all 3 at the same time? If you updated, from what did you update on each of the 3. If you did not update one of these 3 and only updated two, or even only updated one, that information would be very useful. An additional test you can do if you are up to it is restore your machine to the original state, and emerge/update just one of the 3 and see if things work or not. Repeat until you get to the broken state. Doing so would allow us to identify which package is the issue or even which two packages are the issue. state before update (probably): apache-apache-2.2.11 php-5.2.9-r2 ZendOptimizer-3.3.0 (installed manually, not from ebuild) glibc-2.8_p20080602-r1 state after update: apache-apache-2.2.11 php-5.2.10 (then downgraded back to 5.2.9-r2) ZendOptimizer-3.3.3-r1 (installed both manually, from ebuild, the same results) glibc-2.9_p20081201-r2 downgrading php to the original version did not help. i do not want to downgrade glibc as i don't want to risk my system will become unusable and i would have to go to the housing company and reinstall the whole server. apache is the same version, just different revision. the only thing i did not try to downgrade is zend optimizer. when trying to start apache, when php and zend optimizer are activated, i get this in kern.log when apache php5 module is being loaded: Aug 5 23:02:31 titan apache2[6763]: segfault at 50d51ed0 ip 50d3c6d3 sp 5b598500 error 7 in ld-2.9.so[50d35000+1c000] Aug 5 23:02:31 titan grsec: From xxx.xxx.xxx.xxx: signal 11 sent to /usr/sbin/apache2[apache2:6763] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 as apache with php starts without problems when zend optimizer is disabled, i guess the problem is zend optimizer is not compatible with glibc-2.9 and crashes when trying to access some address at ld-2.9.so. so i guess probably the only solution is to get some patch/updated library from zend. i emailed them tonight but got no response yet. i just needed to set up zend optimizer on another machine (hardened amd64) with php-5.2.10, ZendOptimizer-3.3.3-r1 and glibc-2.9_p20081201-r2 and it works without any problem. so i have the problem only on hardened x86 system. please try if this is still an issue with ZendOptimizer 3.3.9 (which has just been added to the tree) and reopen this bug if it still does not work have the same problem in hardened x86 and zend:
glibc 9, 10 zendoptimazer 3.2.8, 3.3.9
php -c ./php-zend328.ini
Segmentation fault
php -c php-zend339.ini
Segmentation fault
strace:
munmap(0x4bfed000, 4096) = 0
stat64("php-zend339.ini", {st_mode=S_IFREG|0644, st_size=44482, ...}) = 0
open("php-zend339.ini", O_RDONLY) = 3
getcwd("/usr/local/Zend/lib", 4096) = 20
lstat64("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/usr/local", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/usr/local/Zend", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/usr/local/Zend/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/usr/local/Zend/lib/php-zend339.ini", {st_mode=S_IFREG|0644, st_size=44482, ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0x5871f1a8) = -1 ENOTTY (Inappropriate ioctl for device)
fstat64(3, {st_mode=S_IFREG|0644, st_size=44482, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4bfed000
read(3, "[PHP]\n\n;;;;;;;;;;;\n; WARNING ;\n;"..., 8192) = 8192
read(3, "refixes. In Safe Mode,\n; the us"..., 8192) = 8192
read(3, " Registration is done from left "..., 8192) = 8192
read(3, "onv.internal_encoding = ISO-8859"..., 8192) = 8192
read(3, "stent = -1\n\n; Maximum number of "..., 8192) = 8192
read(3, " false\n; show warnings on duplic"..., 8192) = 3522
read(3, "", 4096) = 0
read(3, "", 8192) = 0
close(3) = 0
munmap(0x4bfed000, 4096) = 0
brk(0x11154000) = 0x11154000
futex(0x4bb3202c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/local/Zend/lib/ZendOptimizer.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300G\2\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1432456, ...}) = 0
mmap2(NULL, 1445164, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4b6a5000
mmap2(0x4b7f0000, 69632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14b) = 0x4b7f0000
mmap2(0x4b801000, 19756, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4b801000
mprotect(0x4c00b000, 3796, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
it was helpfull for me: paxctl -m php-cgi but, befor glibc upgrade all works fine without paxctl =( the same problem here, i had to paxctl -m /usr/sbin/apache2 any better workaround? Portage 2.1.6.13 (hardened/linux/amd64/10.0/no-multilib, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 x86_64) ================================================================= System uname: Linux-2.6.28-hardened-r9-x86_64-Intel-R-_Xeon-R-_CPU_X3430_@_2.40GHz-with-gentoo-1.12.13 Timestamp of tree: Fri, 22 Jan 2010 14:00:01 +0000 app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=native -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv justify mbox mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session spl sse sse2 ssl sysfs tcpd unicode urandom vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY It is a dupe of 264856 *** This bug has been marked as a duplicate of bug 264856 *** |