Philip Iezzi
2018-07-03 09:53:41 UTC
Package: apache2-bin
Version: 2.4.25-3+deb9u4
Severity: important
Tags: patch upstream
Dear Maintainer,
We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi:
[core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit signal Segmentation fault (11)
As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following PHP-FPM invocation with SetHandler (running mpm_event):
```
<FilesMatch "\.ph(p[3-5]?|tml)$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost"
</If>
</FilesMatch>
```
Analyzing coredump:
```
$ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206
(...)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
[Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))]
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, maxlen=***@entry=16384, starting_elem=***@entry=0x7f3c54ff8ae0) at util_fcgi.c:156
#2 0x00007f3c74f4871d in send_environment (request_id=1, temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at mod_proxy_fcgi.c:321
#3 fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848
#4 proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, proxyport=<optimized out>) at mod_proxy_fcgi.c:968
#5 0x00007f3c751562bc in proxy_run_scheme_handler (r=***@entry=0x7f3c49e196c0, worker=0x7f3c7ad7abf0, conf=***@entry=0x7f3c7ae2bdd0,
url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", proxyhost=***@entry=0x0, proxyport=***@entry=0) at mod_proxy.c:2880
#6 0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230
#7 0x000055b25cef1c40 in ap_run_handler (r=***@entry=0x7f3c49e196c0) at config.c:170
#8 0x000055b25cef21d6 in ap_invoke_handler (r=***@entry=0x7f3c49e196c0) at config.c:434
#9 0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:765
#10 0x000055b25cedc5b5 in ap_read_request (conn=***@entry=0x7f3c49e28348) at protocol.c:1285
#11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) at http_core.c:146
#12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248
#13 0x000055b25cefba70 in ap_run_process_connection (c=***@entry=0x7f3c49e28348) at connection.c:42
#14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099
#15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003
#16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at pthread_create.c:333
#17 0x00007f3c7a0e6acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
```
The issue was reported upstream, Apache Bug 60275, including a patch:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
The patch made it into upstream Apache 2.4.26 (see https://www.apache.org/dist/httpd/CHANGES_2.4):
*) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
modules add empty environment variables to the request. PR 60275.
[<alex2grad AT gmail.com>]
I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and installed apache2-bin. This resolved the issue 100% (Apache was previously crashing on avg 15 times/h over months, since installing patched apache2-bin no more single segfault!).
apache2-2.4.25-pr60275.patch:
```diff
diff -ur apache2-2.4.25/server/util_fcgi.c apache2-2.4.25-patched/server/util_fcgi.c
--- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.000000000 +0200
+++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 +0200
@@ -153,7 +153,11 @@
envlen += keylen;
- vallen = strlen(elts[i].val);
+ if (!elts[i].val) {
+ vallen = 0;
+ } else {
+ vallen = strlen(elts[i].val);
+ }
if (vallen >> 7 == 0) {
envlen += 1;
@@ -226,7 +230,11 @@
buflen -= 4;
}
- vallen = strlen(elts[i].val);
+ if (!elts[i].val) {
+ vallen = 0;
+ } else {
+ vallen = strlen(elts[i].val);
+ }
if (vallen >> 7 == 0) {
if (buflen < 1) {
@@ -262,8 +270,10 @@
rv = APR_ENOSPC; /* overflow */
break;
}
- memcpy(itr, elts[i].val, vallen);
- itr += vallen;
+ if (elts[i].val) {
+ memcpy(itr, elts[i].val, vallen);
+ itr += vallen;
+ }
if (buflen == vallen) {
(*starting_elem)++;
```
Please try to get this into the next Debian Stretch point release. It seems to be critical as this bug renders mod_proxy_fcgi unusable for most.
Thanks,
Philip
-- Package-specific info:
-- System Information:
Debian Release: 9.4
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2-bin depends on:
ii libapr1 1.5.2-5
ii libaprutil1 1.5.4-3
ii libaprutil1-dbd-sqlite3 1.5.4-3
ii libaprutil1-ldap 1.5.4-3
ii libc6 2.24-11+deb9u3
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.18.1-1
ii libpcre3 2:8.39-3
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii perl 5.24.1-3+deb9u4
ii zlib1g 1:1.2.8.dfsg-5
apache2-bin recommends no packages.
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin is related to:
pn apache2 <none>
ii apache2-bin 2.4.25-3+deb9u4
-- no debconf information
Version: 2.4.25-3+deb9u4
Severity: important
Tags: patch upstream
Dear Maintainer,
We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi:
[core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit signal Segmentation fault (11)
As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following PHP-FPM invocation with SetHandler (running mpm_event):
```
<FilesMatch "\.ph(p[3-5]?|tml)$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost"
</If>
</FilesMatch>
```
Analyzing coredump:
```
$ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206
(...)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
[Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))]
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, maxlen=***@entry=16384, starting_elem=***@entry=0x7f3c54ff8ae0) at util_fcgi.c:156
#2 0x00007f3c74f4871d in send_environment (request_id=1, temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at mod_proxy_fcgi.c:321
#3 fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848
#4 proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, proxyport=<optimized out>) at mod_proxy_fcgi.c:968
#5 0x00007f3c751562bc in proxy_run_scheme_handler (r=***@entry=0x7f3c49e196c0, worker=0x7f3c7ad7abf0, conf=***@entry=0x7f3c7ae2bdd0,
url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", proxyhost=***@entry=0x0, proxyport=***@entry=0) at mod_proxy.c:2880
#6 0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230
#7 0x000055b25cef1c40 in ap_run_handler (r=***@entry=0x7f3c49e196c0) at config.c:170
#8 0x000055b25cef21d6 in ap_invoke_handler (r=***@entry=0x7f3c49e196c0) at config.c:434
#9 0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:765
#10 0x000055b25cedc5b5 in ap_read_request (conn=***@entry=0x7f3c49e28348) at protocol.c:1285
#11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) at http_core.c:146
#12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248
#13 0x000055b25cefba70 in ap_run_process_connection (c=***@entry=0x7f3c49e28348) at connection.c:42
#14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099
#15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003
#16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at pthread_create.c:333
#17 0x00007f3c7a0e6acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
```
The issue was reported upstream, Apache Bug 60275, including a patch:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
The patch made it into upstream Apache 2.4.26 (see https://www.apache.org/dist/httpd/CHANGES_2.4):
*) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
modules add empty environment variables to the request. PR 60275.
[<alex2grad AT gmail.com>]
I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and installed apache2-bin. This resolved the issue 100% (Apache was previously crashing on avg 15 times/h over months, since installing patched apache2-bin no more single segfault!).
apache2-2.4.25-pr60275.patch:
```diff
diff -ur apache2-2.4.25/server/util_fcgi.c apache2-2.4.25-patched/server/util_fcgi.c
--- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.000000000 +0200
+++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 +0200
@@ -153,7 +153,11 @@
envlen += keylen;
- vallen = strlen(elts[i].val);
+ if (!elts[i].val) {
+ vallen = 0;
+ } else {
+ vallen = strlen(elts[i].val);
+ }
if (vallen >> 7 == 0) {
envlen += 1;
@@ -226,7 +230,11 @@
buflen -= 4;
}
- vallen = strlen(elts[i].val);
+ if (!elts[i].val) {
+ vallen = 0;
+ } else {
+ vallen = strlen(elts[i].val);
+ }
if (vallen >> 7 == 0) {
if (buflen < 1) {
@@ -262,8 +270,10 @@
rv = APR_ENOSPC; /* overflow */
break;
}
- memcpy(itr, elts[i].val, vallen);
- itr += vallen;
+ if (elts[i].val) {
+ memcpy(itr, elts[i].val, vallen);
+ itr += vallen;
+ }
if (buflen == vallen) {
(*starting_elem)++;
```
Please try to get this into the next Debian Stretch point release. It seems to be critical as this bug renders mod_proxy_fcgi unusable for most.
Thanks,
Philip
-- Package-specific info:
-- System Information:
Debian Release: 9.4
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2-bin depends on:
ii libapr1 1.5.2-5
ii libaprutil1 1.5.4-3
ii libaprutil1-dbd-sqlite3 1.5.4-3
ii libaprutil1-ldap 1.5.4-3
ii libc6 2.24-11+deb9u3
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.18.1-1
ii libpcre3 2:8.39-3
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii perl 5.24.1-3+deb9u4
ii zlib1g 1:1.2.8.dfsg-5
apache2-bin recommends no packages.
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin is related to:
pn apache2 <none>
ii apache2-bin 2.4.25-3+deb9u4
-- no debconf information