Package: apache2-bin Version: 2.4.25-3+deb9u4 Severity: important Tags: patch upstream
Dear Maintainer, We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi: [core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit signal Segmentation fault (11) As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following PHP-FPM invocation with SetHandler (running mpm_event): ``` <FilesMatch "\.ph(p[3-5]?|tml)$"> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost" </If> </FilesMatch> ``` Analyzing coredump: ``` $ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206 (...) [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/sbin/apache2 -k start'. Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. [Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))] (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, maxlen=maxlen@entry=16384, starting_elem=starting_elem@entry=0x7f3c54ff8ae0) at util_fcgi.c:156 #2 0x00007f3c74f4871d in send_environment (request_id=1, temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at mod_proxy_fcgi.c:321 #3 fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848 #4 proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, proxyport=<optimized out>) at mod_proxy_fcgi.c:968 #5 0x00007f3c751562bc in proxy_run_scheme_handler (r=r@entry=0x7f3c49e196c0, worker=0x7f3c7ad7abf0, conf=conf@entry=0x7f3c7ae2bdd0, url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", proxyhost=proxyhost@entry=0x0, proxyport=proxyport@entry=0) at mod_proxy.c:2880 #6 0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230 #7 0x000055b25cef1c40 in ap_run_handler (r=r@entry=0x7f3c49e196c0) at config.c:170 #8 0x000055b25cef21d6 in ap_invoke_handler (r=r@entry=0x7f3c49e196c0) at config.c:434 #9 0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:765 #10 0x000055b25cedc5b5 in ap_read_request (conn=conn@entry=0x7f3c49e28348) at protocol.c:1285 #11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) at http_core.c:146 #12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248 #13 0x000055b25cefba70 in ap_run_process_connection (c=c@entry=0x7f3c49e28348) at connection.c:42 #14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099 #15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003 #16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at pthread_create.c:333 #17 0x00007f3c7a0e6acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 ``` The issue was reported upstream, Apache Bug 60275, including a patch: https://bz.apache.org/bugzilla/show_bug.cgi?id=60275 The patch made it into upstream Apache 2.4.26 (see https://www.apache.org/dist/httpd/CHANGES_2.4): *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when modules add empty environment variables to the request. PR 60275. [<alex2grad AT gmail.com>] I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and installed apache2-bin. This resolved the issue 100% (Apache was previously crashing on avg 15 times/h over months, since installing patched apache2-bin no more single segfault!). apache2-2.4.25-pr60275.patch: ```diff diff -ur apache2-2.4.25/server/util_fcgi.c apache2-2.4.25-patched/server/util_fcgi.c --- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.000000000 +0200 +++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 +0200 @@ -153,7 +153,11 @@ envlen += keylen; - vallen = strlen(elts[i].val); + if (!elts[i].val) { + vallen = 0; + } else { + vallen = strlen(elts[i].val); + } if (vallen >> 7 == 0) { envlen += 1; @@ -226,7 +230,11 @@ buflen -= 4; } - vallen = strlen(elts[i].val); + if (!elts[i].val) { + vallen = 0; + } else { + vallen = strlen(elts[i].val); + } if (vallen >> 7 == 0) { if (buflen < 1) { @@ -262,8 +270,10 @@ rv = APR_ENOSPC; /* overflow */ break; } - memcpy(itr, elts[i].val, vallen); - itr += vallen; + if (elts[i].val) { + memcpy(itr, elts[i].val, vallen); + itr += vallen; + } if (buflen == vallen) { (*starting_elem)++; ``` Please try to get this into the next Debian Stretch point release. It seems to be critical as this bug renders mod_proxy_fcgi unusable for most. Thanks, Philip -- Package-specific info: -- System Information: Debian Release: 9.4 Architecture: amd64 (x86_64) Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u3 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u4 ii zlib1g 1:1.2.8.dfsg-5 apache2-bin recommends no packages. Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin is related to: pn apache2 <none> ii apache2-bin 2.4.25-3+deb9u4 -- no debconf information