DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=27751>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=27751 Segmentation Fault in shmcb_cyclic_cton_memcpy Summary: Segmentation Fault in shmcb_cyclic_cton_memcpy Product: Apache httpd-2.0 Version: 2.0.48 Platform: PC OS/Version: Linux Status: NEW Severity: Critical Priority: Other Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Here is the backtrace: Program ran under gdb with set args -X -f conf/leakd.conf Thread 17 Stack Trace: *** Begin Stack Frame #0 0x403079a7 in memcpy () from /lib/libc.so.6 #1 0x40404661 in shmcb_cyclic_cton_memcpy (buf_size=7190, dest=0xbdbfcd2c "0\201\221\002\001\001\002\002\003\001\004\002", data=0x4048ebea "\0040èË´ëR\222Á3ÿÓ\001àM¯\236ðg\222ë[ù%·ýÆ-f3z ) ÷\023JÌá\233=", src_offset=6402, src_len=10240) at ssl_scache_shmcb.c:915 #2 0x404052cb in shmcb_remove_session_id (s=0x80e2a98, queue=0xbdbff58c, cache=0xbdbff57c, id=0x82708f8 "\177ÉÁvL|\0066=<{w%BQ.øºIÉnÝ7ü\001&\017sI)\224\002 ", idlen=32) at ssl_scache_shmcb.c:1338 #3 0x40404527 in shmcb_remove_session (s=0x80e2a98, shm_segment=0x40452000, id=0x82708f8 "\177ÉÁvL|\0066=<{w%BQ.øºIÉnÝ7ü\001&\017sI)\224\002 ", idlen=32) at ssl_scache_shmcb.c:819 #4 0x40403a2b in ssl_scache_shmcb_remove (s=0x80e2a98, id=0x82708f8 "\177ÉÁvL|\0066=<{w%BQ.øºIÉnÝ7ü\001&\017sI)\224\002 ", idlen=32) at ssl_scache_shmcb.c:477 #5 0x4040291c in ssl_scache_remove (s=0x80e2a98, id=0x82708f8 "\177ÉÁvL|\0066=<{w%BQ.øºIÉnÝ7ü\001&\017sI)\224\002 ", idlen=32) at ssl_scache.c:158 #6 0x403fcfc3 in ssl_callback_DelSessionCacheEntry (ctx=0x80de048, session=0x82708b0) at ssl_engine_kernel.c:1742 #7 0x40042f1b in timeout () from /lib/libssl.so.2 #8 0x400b1d60 in lh_doall_arg () from /lib/libcrypto.so.2 #9 0x40042fa0 in SSL_CTX_flush_sessions () from /lib/libssl.so.2 #10 0x40040691 in ssl_update_cache () from /lib/libssl.so.2 #11 0x4003270f in ssl3_accept () from /lib/libssl.so.2 #12 0x4003f340 in SSL_accept () from /lib/libssl.so.2 #13 0x4003bfe8 in ssl23_get_client_hello () from /lib/libssl.so.2 #14 0x4003b7f5 in ssl23_accept () from /lib/libssl.so.2 #15 0x4003f340 in SSL_accept () from /lib/libssl.so.2 #16 0x403fa2f9 in ssl_io_filter_connect (filter_ctx=0x82313d8) at ssl_engine_io.c:1070 #17 0x403fa664 in ssl_io_filter_input (f=0x82b82d0, bb=0x82a8f28, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at ssl_engine_io.c:1239 #18 0x0807218e in ap_get_brigade (next=0x82b82d0, bb=0x82a8f28, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at util_filter.c:514 #19 0x0807218e in ap_get_brigade (next=0x82a8ec8, bb=0x82a8f28, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at util_filter.c:514 #20 0x08072f93 in ap_rgetline_core (s=0x82a82b8, n=8192, read=0xbdbff9d8, r=0x82a82a0, fold=0, bb=0x82a8f28) at protocol.c:256 #21 0x08073455 in read_request_line (r=0x82a82a0, bb=0x82a8f28) at protocol.c:623 #22 0x080739d7 in ap_read_request (conn=0x8231060) at protocol.c:900 #23 0x080608db in ap_process_http_connection (c=0x8231060) at http_core.c:312 #24 0x0807060a in ap_run_process_connection (c=0x8231060) at connection.c:85 #25 0x08065916 in process_socket (p=0x8230f38, sock=0x8230f70, my_child_num=0, my_thread_num=13, bucket_alloc=0x825d100) at worker.c:632 #26 0x08065f0a in worker_thread (thd=0x80fde88, dummy=0x812bc88) at worker.c:946 #27 0x401f5090 in dummy_worker (opaque=0x80fde88) at thread.c:127 #28 0x40205f77 in pthread_start_thread () from /lib/libpthread.so.0 ***End of Stack Frame Info Threads: 29 Thread 27676 (LWP 1526) 0x40360b60 in poll () from /lib/libc.so.6 18 - 28 in sigsuspend () from /lib/libc.so.6 * 17 Thread 15376 (LWP 1514) 0x403079a7 in memcpy () from /lib/libc.so.6 3 - 16 in sigsuspend () from /lib/libc.so.6 2 Thread 2049 (LWP 1499) 0x40360b60 in poll () from /lib/libc.so.6 1 Thread 1024 (LWP 1492) 0x402b4136 in sigsuspend () from /lib/libc.so.6 CPU Registers: eax 0x24ec 9452 ecx 0x36 54 edx 0xbdbfd040 -1111502784 ebx 0x4041089c 1078003868 esp 0xbdbfcc9c 0xbdbfcc9c ebp 0xbdbfccd4 0xbdbfccd4 esi 0x40490ffe 1078530046 edi 0xbdbff454 -1111493548 eip 0x40404661 0x40404661 eflags 0x202 514 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x20 32 ftag 0xffff 65535 fiseg 0x23 35 fioff 0x400b2af8 1074473720 foseg 0x2b 43 fooff 0x40101950 1074796880 fop 0x5d8 1496 xmm0 {f = {0x0, 0x0, 0x0, 0x0}} {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}} xmm1-xmm7 the same as xmm0 mxcsr 0x1f80 8064 orig_eax 0xffffffff -1 function where issue is located: 901 static void shmcb_cyclic_cton_memcpy( 902 unsigned int buf_size, 903 unsigned char *dest, 904 unsigned char *data, 905 unsigned int src_offset, 906 unsigned int src_len) 907 { 908 /* Can it be copied all in one go? */ 909 if (src_offset + src_len < buf_size) 910 /* yes */ 911 memcpy(dest, data + src_offset, src_len); 912 else { 913 /* no */ 914 memcpy(dest, data + src_offset, buf_size - src_offset); *915 memcpy(dest + buf_size - src_offset, data, 916 src_len + src_offset - buf_size); (gdb) print dest + buf_size - src_offset $57 = (unsigned char *) 0xfffff4ee <Address 0xfffff4ee out of bounds> (gdb) print src_len + src_offset - buf_size $58 = 2071963774 (gdb) 917 } 918 return; 919 } Frame Information [frame 1]: #1 0x40404661 in shmcb_cyclic_cton_memcpy ( buf_size=7190, dest=0xbdbfcd2c "0\201\221\002\001\001\002\002\003\001\004\002", data=0x4048ebea "\0040èË´ëR\222Á3ÿÓ\001àM¯\236ðg\222ë[ù%·ýÆ-f3z ) ÷\023JÌá\233=", src_offset=6402, src_len=10240 ) at ssl_scache_shmcb.c:915 915 memcpy(dest + buf_size - src_offset, data, 916 src_len + src_offset - buf_size); Variables in the Frame context: (gdb) print buf_size $49 = 7190 (gdb) print dest $51 = (unsigned char *) 0xbdbfcd2c "0\201\221\002\001\001\002\002\003\001\004 \002" (gdb) print data $53 = (unsigned char *) 0x4048ebea "\0040èË´ëR\222Á3ÿÓ\001àM¯\236ðg\222ë[ù%·ýÆ- f3z )÷\023JÌá\233=" (gdb) print src_offset $55 = 3183473748 (gdb) print &src_offset Address requested for identifier "src_offset" which is in register $edi (gdb) print src_len $56 = 3183464512 (gdb) print &src_len Address requested for identifier "src_len" which is in register $edx (gdb) info register edi edx edi 0xbdbff454 -1111493548 edx 0xbdbfd040 -1111502784 These variable values do appear to be valid based on the stack trace? src_offset = 3183473748 location register edi=0xbdbff454 -1111493548 src_len = 3183464512 location register edx=0xbdbfd040 -1111502784 The stack trace shows these are supposed to be: src_offset=6402 src_len=10240 Here is the conf file: # Custom config file for memory leak test ServerRoot "/usr/webserver" PidFile logs/httpd.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 <IfModule worker.c> StartServers 1 MaxClients 25 MinSpareThreads 25 MaxSpareThreads 25 ThreadsPerChild 25 ServerLimit 1 MaxRequestsPerChild 0 </IfModule> <IfModule perchild.c> NumServers 5 StartThreads 5 MinSpareThreads 5 MaxSpareThreads 10 MaxThreadsPerChild 20 MaxRequestsPerChild 0 </IfModule> <IfModule mpm_winnt.c> ThreadsPerChild 250 MaxRequestsPerChild 0 </IfModule> LoadModule access_module modules/mod_access.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule cgi_module modules/mod_cgi.so LoadModule dir_module modules/mod_dir.so LoadModule env_module modules/mod_env.so LoadModule imap_module modules/mod_imap.so LoadModule log_config_module modules/mod_log_config.so LoadModule mime_module modules/mod_mime.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule headers_module modules/mod_headers.so LoadModule ssl_module modules/mod_ssl.so LoadModule status_module modules/mod_status.so <IfModule !mpm_winnt.c> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # User leakd Group leakd </IfModule> UseCanonicalName Off <Directory /> Options FollowSymLinks AllowOverride None #IP_RESTRICTION_BLOCK </Directory> DirectoryIndex index.html index.htm index.php <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> TypesConfig conf/mime.types DefaultType text/plain <IfModule mod_mime_magic.c> MIMEMagicFile conf/magic </IfModule> HostnameLookups Off ErrorLog /usr/webserver/logs/error_log LogLevel error LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog /usr/webserver/logs/access_log common ServerTokens min ServerSignature Off ScriptAlias /cgi-bin/ "/usr/webserver/cgi-bin/" AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .et AddLanguage fr .fr AddLanguage de .de AddLanguage he .he AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddLanguage pl .po AddLanguage ko .ko AddLanguage pt .pt AddLanguage nn .nn AddLanguage no .no AddLanguage pt-br .pt-br AddLanguage ltz .ltz AddLanguage ca .ca AddLanguage es .es AddLanguage sv .sv AddLanguage cz .cz AddLanguage ru .ru AddLanguage tw .tw AddLanguage zh-tw .tw AddLanguage hr .hr LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca es sv tw ForceLanguagePriority Prefer Fallback AddDefaultCharset ISO-8859-1 AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 # For russian, more than one charset is used (depends on client, mostly): AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-8 .utf8 AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 AddCharset EUC-TW .euc-tw AddCharset EUC-JP .euc-jp AddCharset EUC-KR .euc-kr AddCharset shift_jis .sjis AddType application/x-tar .tgz AddType image/x-icon .ico AddType application/x-httpd-php .php AddType text/html .tpl AddHandler cgi-script cgi exe jpq BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect- carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully <IfModule mod_proxy.c> ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from all </Proxy> ProxyVia On </IfModule> <IfModule mod_rewrite.c> RewriteEngine On </IfModule> listen 127.0.0.1:9200 <VirtualHost 127.0.0.1:9200> ServerName 127.0.0.1:9200 DocumentRoot "/usr/webserver/isdocs" <Directory "/usr/webserver/isdocs"> Options MultiViews Options +FollowSymLinks AllowOverride None </Directory> RewriteEngine On RewriteRule ^/login.htm /red9200.html RewriteMap map1 txt:/usr/webserver/conf/musiclist.map RewriteCond %{REQUEST_URI} ^/([^/]+).* RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/LookupTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/MusicTag/(.*)RewriteCond ${map1:%1|NONE} ^ (http.*) [NC] RewriteRule ^(/.*) %1$1 [P] ProxyPreserveHost on Header set Server: JKPHTTPServer/9.9 <Location /statusreport> SetHandler server-status </Location> </VirtualHost> listen 172.25.54.114:9200 <VirtualHost 172.25.54.114:9200> ServerName 172.25.54.114:9200 DocumentRoot "/usr/webserver/isdocs" <Directory "/usr/webserver/isdocs"> Options MultiViews Options +FollowSymLinks AllowOverride None </Directory> RewriteEngine On RewriteRule ^/login.htm /red9200.html RewriteMap map1 txt:/usr/webserver/conf/musiclist.map RewriteCond %{REQUEST_URI} ^/([^/]+).* RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/LookupTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/MusicTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] ProxyPreserveHost on Header set Server: HTTPServer/9.9 <Location /statusreport> SetHandler server-status </Location> </VirtualHost> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin #SSLSessionCache dbm:logs/ssl_scache #SSLSessionCache none SSLSessionCache shmcb:logs/scache(256000) SSLMutex file:logs/ssl_mutex SSLSessionCacheTimeout 300 SSLRandomSeed startup builtin SSLRandomSeed connect builtin listen 127.0.0.1:9201 <VirtualHost 127.0.0.1:9201> ServerName 127.0.0.1:9201 DocumentRoot "/usr/webserver/htdocs" <Directory "/usr/webserver/htdocs"> Options +MultiViews AllowOverride None </Directory> <Directory "/usr/webserver/cgi-bin"> Options +MultiViews AllowOverride None </Directory> <Location /statusreport> SetHandler server-status </Location> RewriteEngine On RewriteMap map1 txt:/usr/webserver/conf/musiclist.map RewriteCond %{REQUEST_URI} ^/([^/]+).* RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/LookupTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/MusicTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] ProxyPreserveHost on SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/webserver/conf/cert.pem SSLCertificateKeyFile /usr/webserver/conf/file.pem <Files ~ "\.(jpq|exe|cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/webserver/cgi-bin"> SSLOptions +StdEnvVars </Directory> Alias /myhelp "/usr/webserver/help" <Directory "/usr/webserver/help"> Options ExecCGI MultiViews AllowOverride None Order allow,deny Allow from all SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> listen 172.25.54.114:9201 <VirtualHost 172.25.54.114:9201> ServerName 172.25.54.114:9201 DocumentRoot "/usr/webserver/htdocs" <Directory "/usr/webserver/htdocs"> Options +MultiViews AllowOverride None </Directory> <Directory "/usr/webserver/cgi-bin"> Options +MultiViews AllowOverride None </Directory> <Location /statusreport> SetHandler server-status </Location> RewriteEngine On RewriteMap map1 txt:/usr/webserver/conf/musiclist.map RewriteCond %{REQUEST_URI} ^/([^/]+).* RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/LookupTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] RewriteCond %{REQUEST_URI} ^/Music/MusicTag/(.*) RewriteCond ${map1:%1|NONE} ^(http.*) [NC] RewriteRule ^(/.*) %1$1 [P] ProxyPreserveHost on SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/webserver/conf/cert.pem SSLCertificateKeyFile /usr/webserver/conf/file.pem <Files ~ "\.(jpq|exe|cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/webserver/cgi-bin"> SSLOptions +StdEnvVars </Directory> Alias /myhelp "/usr/webserver/help" <Directory "/usr/webserver/help"> Options ExecCGI MultiViews AllowOverride None Order allow,deny Allow from all SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
