Bug 98871

Summary:	mod_php 4.4.0 crash apache on every HTTP request
Product:	Gentoo Linux	Reporter:	Romang <zataz>
Component:	Current packages	Assignee:	PHP Bugs <php-bugs>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	apache-bugs, gentoo.org
Priority:	High
Version:	2005.0
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Romang 2005-07-13 04:36:37 UTC

Hello,

My actual configuration :

[ebuild   R   ] dev-php/mod_php-4.3.11  -X +apache2 +berkdb +crypt -curl -debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp +imap -informix -ipv6 +java +jpeg -kerberos -ldap +mcal +memlimit -mssql +mysql -nls -oci8 -odbc +pam +png -postgres +snmp +spell +ssl +tiff +truetype +xml2 -yaz 0 kB

Calculating dependencies ...done!
[ebuild   R   ] net-www/apache-2.0.54-r8  +berkdb -doc +gdbm -ipv6 -ldap (-selinux) +ssl -static +threads 0 kB

[root@www mod_php]$emerge info
Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-hardened-r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz
Gentoo Base System version 1.4.16
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.10
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r7
sys-devel/libtool:   1.5.16
virtual/os-headers:  2.4.19-r1, 2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 apm bash-completion berkdb bitmap-fonts crypt curl emboss encode fbcon foomaticdb fortran gd gdbm gif gpm imagemagick imap innodb java jpeg libg++ libwww mad maildir mcal memlimit mikmod motif mp3 mysql ncurses pam pdflib perl png python readline sasl sdl slang snmp spell ssl svga tcpd tiff truetype truetype-fonts type1-fonts virus-scan xml2 xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY


If i update to mod_php 4.4.0 :

[ebuild  NS   ] dev-php/mod_php-4.4.0  -X +apache2 +berkdb +crypt -curl -debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp +imap -informix -ipv6 +java +jpeg -kerberos -ldap +mcal +memlimit -mssql +mysql -nls -oci8 -odbc +pam +png -postgres +snmp +spell +ssl +tiff +truetype +xml2 -yaz 0 kB

I got for every apache process :

 www kernel: grsec: From 82.127.209.235: signal 11 sent to /usr/sbin/apache2[apache2:16845] uid/euid:1001/1001 gid/egid:440/440, parent /usr/sbin/apache2[apache2:5356] uid/euid:0/0 gid/egid:0/0

Apache + mod_php don't run with my mod_php 4.4.0 configuration.

Regards.

Comment 1 solar (RETIRED) gentoo-dev

2005-07-13 05:00:16 UTC

jakub, I have no idea why you just assigned this to hardened. The user 
is simply using a kernel with grsec signal logging support enabled. The
logging of the signal 11 (SIGSEGV) is no more than it logging that the
event happened. In no way does grsec send signals to programs.
http://www.grsecurity.net/wiki/index.php/GrsecurityFAQ

Please assign bugs to the maintainer of a given package and add 
respective groups which you might think should be involved/interested to
the CC: vs assigning it to them.

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2005-07-13 05:04:56 UTC

(In reply to comment #1)
> jakub, I have no idea why you just assigned this to hardened. 

Sorry, I'm not that familiar w/ hardened, so I probably mis-assigned the bug;
not something that would need a two paragraph mentoring, I guess... Thanks for
explanation anyway. 

Removing myself from CC.

Comment 3 Marcel Meckel 2005-07-13 06:04:01 UTC

Same here, mod_php 4.4.0 and gentoo-hardened kernel -> segfaults

# emerge info
Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.
20041102-r1, 2.6.11-hardened-r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Intel(R) Celeron(R) CPU 2.40GHz
Gentoo Base System version 1.6.12
ccache version 2.3 [disabled]
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.10
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/
config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 arts avi bash-completion berkdb bitmap-fonts crypt curl 
devfs26 emboss encode foomaticdb gd gdbm gif hardened hardenedphp imagemagick 
imap imlib jpeg junit kde libg++ mbox memlimit mmx mmx2 motif mp3 ncurses nls 
noantlr nobcel nobeanutils nobsh nocommonslogging nocommonsnet nojdepend nojsch 
nojython nolog4j nooro nopop3d noregexp norhino noxerces oggvorbis opengl oss 
pam pcre perl php png posix quicktime rtc sasl sdl sse sse2 ssl tcpd tiff 
truetype truetype-fonts type1 type1-fonts xml2 xmms xv zlib userland_GNU 
kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

Comment 4 Romang 2005-07-14 02:01:34 UTC

Hello,

yesterday somebody give me this link for the mod_php 4.4.0 bugs -> 
http://www.gentoo.org/proj/en/apache/troubleshooting.xml

apache don't segfault with 4.3.1 but only with 4.4.0 so it's not a apache trouble

Regards.

Comment 5 Romang 2005-07-25 00:58:26 UTC

Hello,

I have remove some USES i don't need.

[root@www ~]$emerge -pv mod_php

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild  NS   ] dev-php/mod_php-4.4.0  -X +apache2 +berkdb +crypt +curl -debug
-doc -fdftk -firebird -flash -freetds +gd -gd-external -gdbm -gmp -hardenedphp
+imap -informix -ipv6 -java +jpeg -kerberos -ldap +mcal +memlimit -mssql +mysql
-nls -oci8 -odbc +pam +png -postgres +snmp -spell +ssl -tiff +truetype +xml2
-yaz 0 kB

The same result.

Regards.

Comment 6 Wolf Giesen (RETIRED) gentoo-dev

2005-07-25 02:40:30 UTC

Just my two cents:

Could not reproduce yet. I'm using 4.4 on three production servers
(x86/NPTL/prefork) without problems (except that it does not build with
+kerberos). Rebuilt apache+mod_php on a test server to see whether it would
crash with USE="threads" (mpm_worker). It does not. I'd  suspect grsec, as I
don't see any other dramatic differences.

Comment 7 Martin Mokrejš 2005-07-25 19:06:12 UTC

How about libmysqlclient.so different versions expected by apache, mod_php,
mod_python? I had a problem mod_phpXmod_python when both used libmysqlclient.so.

Comment 8 Alvin A ONeal Jr 2005-08-10 17:42:09 UTC

USE="gd-external" fixes it

:-)


NOTE: Also applies to mod_php-4.4.0-r1

Comment 9 Stuart Herbert (RETIRED) gentoo-dev

2005-08-25 15:09:03 UTC

Hi,

I need to know which Apache2 MPM you are using.  If you're not using prefork or
peruser, you're on your own, as we don't provide support for threaded mod_php.

Please create a backtrace (http://bugs.php.net/bugs-generating-backtrace.php)
and post the results here.

Best regards,
Stu

Comment 10 Marcel Meckel 2005-10-15 19:09:38 UTC

# emerge info
Portage 2.0.51.22-r3 (default-linux/x86/2005.1, gcc-3.3.6, glibc-2.3.5-r2, 2.6.
11-hardened-r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Intel(R) Celeron(R) CPU 2.40GHz
Gentoo Base System version 1.6.13
ccache version 2.3 [disabled]
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/
config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 arts avi bash-completion berkdb bitmap-fonts crypt curl 
debug devfs26 eds emboss encode foomaticdb gd gdbm gif gstreamer hardened 
hardenedphp imagemagick imap imlib jpeg junit kde libg++ mbox memlimit mmx mmx2 
motif mp3 mpm-prefork ncurses nls noantlr nobcel nobeanutils nobsh 
nocommonslogging nocommonsnet nojdepend nojsch nojython nolog4j nooro nopop3d 
noregexp norhino noxerces ogg oggvorbis opengl oss pam pcre perl php png posix 
quicktime rtc sasl sdl sse sse2 ssl tcpd tiff truetype truetype-fonts type1 
type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

# emerge -pv apache mod_php

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] net-www/apache-2.0.54-r31  +apache2 +debug -doc -ldap -mpm-
leader -mpm-peruser +mpm-prefork -mpm-threadpool -mpm-worker -no-suexec (-
selinux) +ssl -static-modules -threads 0 kB
[ebuild   R   ] dev-php/mod_php-4.4.0-r3  -X +apache2 +berkdb +crypt +curl 
+debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp 
+hardenedphp +imap -informix -ipv6 -java +jpeg -kerberos -ldap -mcal +memlimit -
mssql +mysql +nls -oci8 -odbc +pam +png -postgres -snmp -spell +ssl +tiff 
+truetype +xml2 -yaz 0 kB

This is the backtrace which seems not to be a big help (maybe because of pax/
grsec in kernel?):

# gdb /usr/sbin/apache2 core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".

Core was generated by `/usr/sbin/apache2 -X -D SSL -D SSL_DEFAULT_VHOST -D PHP4 
-d /usr/lib/apache2 -f'.
Program terminated with signal 11, Segmentation fault.
#0  0x45f59bc2 in ?? ()
(gdb) bt
#0  0x45f59bc2 in ?? ()
#1  0xb03221dc in ?? ()
#2  0x4589cb10 in ?? ()
#3  0xb03222e0 in ?? ()
#4  0xb032227c in ?? ()
#5  0x00000000 in ?? ()
#6  0x00000020 in ?? ()
#7  0x1275212c in ?? ()
#8  0x00000000 in ?? ()
#9  0x3df3beb6 in ?? ()
#10 0xb0322188 in ?? ()
#11 0x45b48c16 in ?? ()
#12 0x00000003 in ?? ()
#13 0x461bec50 in ?? ()
#14 0x00000014 in ?? ()
#15 0xb03221b8 in ?? ()
#16 0x45ef74bf in ?? ()
#17 0x00000014 in ?? ()
#18 0xb0324b14 in ?? ()
#19 0x00000000 in ?? ()
#20 0xb03221a4 in ?? ()
#21 0xb0322210 in ?? ()
#22 0x45b87edd in ?? ()
#23 0x00000003 in ?? ()
#24 0xb03221a4 in ?? ()
#25 0x3df3beb6 in ?? ()
#26 0x00000306 in ?? ()
#27 0x00000000 in ?? ()
#28 0x00000000 in ?? ()
#29 0x00067be0 in ap_valid_accept_mutex_string ()
#30 0xb03221f8 in ?? ()
#31 0x45e6530b in ?? ()
#32 0x00000051 in ?? ()
#33 0x00000000 in ?? ()
#34 0x00000000 in ?? ()
#35 0x00000000 in ?? ()
#36 0x0000a000 in ?? ()
#37 0x00000000 in ?? ()
#38 0x00001000 in ?? ()
[..]
#91 0x00067be0 in ap_valid_accept_mutex_string ()
[..]
#1224 0x0006001a in _IO_stdin_used ()
[..]
#1274 0x00020000 in ap_set_etag ()
Previous frame inner to this frame (corrupt stack?)
(gdb)

Used PreFork.

Comment 11 Marcel Meckel 2005-10-16 00:53:55 UTC

I found the error causing these Segfaults. It's a specific option in php.ini

My php.ini -> segfault. Moved php.ini -> default values -> no segfault.

Will narrow it down today and then post the results.

Comment 12 Marcel Meckel 2005-10-16 02:05:39 UTC

Ok, here the final results:

Seems to have something to do with php options specified in <VirtualHost> 
Entities.

E.g. a Vhost with no php_admin_value lines in it doesn't cause a segfault, but a 
vhost with php_admin_value session.save_path /foo/bar for example does.

Seems only to be the case when Safe Mode is on in php.ini. When Safe mode is off 
in php.ini then no segfaults even when php_admin_value is used in vhosts.

Comment 13 Romang 2005-10-16 03:35:53 UTC

Hello,

This bug is a duplicate bug off #107602

Why is this bug resolved until too have find a real solution ?

Regards.

Comment 14 Marcel Meckel 2005-10-16 05:44:00 UTC

Is there a reason why #107602 is private?

Comment 15 Romang 2005-10-16 07:37:31 UTC

Hello,

Yop cause could be exploited remotly.
Requires FTP access to DOS apache.

Regards.

Comment 16 Jakub Moc (RETIRED) gentoo-dev

2005-10-22 10:28:44 UTC

(In reply to comment #13)
> Hello,
> 
> This bug is a duplicate bug off #107602

Reopen to dupe it.

Comment 17 Jakub Moc (RETIRED) gentoo-dev

2005-10-22 10:31:50 UTC

Bleh, stupid bugzilla, I'm not allowed to do it; @koon - please mark as a dupe
of Bug 107602.

Comment 18 Thierry Carrez (RETIRED) gentoo-dev

2005-10-23 03:02:18 UTC

(In reply to comment #14)
> Is there a reason why #107602 is private?

It was closed at the request of the reporter. This issue is now quite public so
there is no reason to keep it closed, I opened it.

*** This bug has been marked as a duplicate of 107602 ***