https://bz.apache.org/bugzilla/show_bug.cgi?id=69841
Bug ID: 69841
Summary: "double free or corruption" with mod_socache_dbm
(socache_dbm_retrieve() + database_cleanup())
Product: Apache httpd-2
Version: 2.4.65
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_socache_(dbm|dc|memcache|shmcb)
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 40113
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40113&action=edit
"bt full" of one of the crashing processes
I have MariaDB DBD lookup configured for authentication. Whenever Apache tries
to retrieve a successful authentication result from socache, the affected
processes crash (usually three at a time).
Config:
AuthnCacheSOCache dbm:/run/apache2/socache/socache-dbm-authn-socache
DBDriver mysql
DBDParams
sock=/run/mysql/test/mysql.sock,dbname=mydbname,user=myuser,pass=mypassword
<Location ~ "^/mail/">
AuthType Basic
AuthName "Email"
AuthBasicProvider socache dbd
AuthnCacheProvideFor dbd
AuthnCacheContext mydbname
AuthDBDUserPWQuery 'SELECT REGEXP_REPLACE(password, "{.+}", "") FROM
mailbox WHERE username = %s'
Require valid-user
</Location>
Apache acts as a reverse proxy here, but in this case I don't think it's
important.
Errors in the log:
double free or corruption (out)
double free or corruption (out)
[core:notice] [pid 1:tid 1] AH00052: child pid 7 exit signal Abort (6)
[core:notice] [pid 1:tid 1] AH00052: child pid 8 exit signal Abort (6)
[core:notice] [pid 1:tid 1] AH00052: child pid 9 exit signal Segmentation fault
(11)
[mpm_event:warn] [pid 1:tid 1] AH10392: children are killed successively!
Backtrace:
#0 __pthread_kill_implementation (threadid=<optimized out>,
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007f2d23fbbe33 in __pthread_kill_internal (threadid=<optimized out>,
signo=6) at pthread_kill.c:89
#2 0x00007f2d23f607b6 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3 0x00007f2d23f4734b in __GI_abort () at abort.c:77
#4 0x00007f2d23f483ad in __libc_message_impl (fmt=fmt@entry=0x7f2d240dc35d
"%s\n") at ../sysdeps/posix/libc_fatal.c:138
#5 0x00007f2d23fc6b77 in malloc_printerr (str=str@entry=0x7f2d240df538 "double
free or corruption (!prev)") at malloc.c:5879
#6 0x00007f2d23fc8bdc in _int_free_merge_chunk (av=av@entry=0x7f2c8c000030,
p=p@entry=0x7f2c8c005cf0, size=size@entry=5232) at malloc.c:4767
#7 0x00007f2d23fc8f60 in _int_free_chunk (av=0x7f2c8c000030, p=0x7f2c8c005cf0,
size=5232, have_lock=<optimized out>, have_lock@entry=0) at malloc.c:4714
#8 0x00007f2d23fcbee4 in __GI___libc_free (mem=<optimized out>) at
malloc.c:3556
#9 0x00007f2d2417d704 in database_cleanup (data=0x7f2c8c005d00) at
dbm/sdbm/sdbm.c:81
#10 0x00007f2d23453f30 in socache_dbm_retrieve (ctx=0x5586aca01c80,
s=0x5586aca5d8f0, id=0x7f2c88012210 "mydatabase:[email protected]", idlen=22,
dest=0x7f2d1eb1c940 "\350U\235\254\206U",
destlen=0x7f2d1eb1c93c, p=0x7f2c8801bea8) at
/usr/src/debug/httpd-2.4.65/modules/cache/mod_socache_dbm.c:361
#11 0x00007f2d2345b1aa in check_password (r=0x7f2c8801bf20, user=0x7f2c88012200
"[email protected]", password=0x7f2c880121e7 "mypassword")
at /usr/src/debug/httpd-2.4.65/modules/aaa/mod_authn_socache.c:377
#12 0x00007f2d2346c955 in authenticate_basic_user (r=0x7f2c8801bf20) at
/usr/src/debug/httpd-2.4.65/modules/aaa/mod_auth_basic.c:375
#13 0x00005586a6be19b0 in ap_run_check_user_id (r=r@entry=0x7f2c8801bf20) at
server/request.c:84
#14 0x00005586a6beb838 in ap_process_request_internal (r=0x7f2c8801bf20) at
server/request.c:342
#15 0x00005586a6c100b8 in ap_process_async_request (r=0x7f2c8801bf20) at
modules/http/http_request.c:450
#16 0x00005586a6c1027c in ap_process_request (r=<optimized out>) at
modules/http/http_request.c:487
#17 0x00007f2d234b68e8 in c2_process (conn_ctx=0x7f2c880050f0,
c=0x7f2c88004d70) at /usr/src/debug/httpd-2.4.65/modules/http2/h2_c2.c:790
#18 h2_c2_hook_process (c=0x7f2c88004d70) at
/usr/src/debug/httpd-2.4.65/modules/http2/h2_c2.c:907
#19 0x00005586a6beecd0 in ap_run_process_connection (c=c@entry=0x7f2c88004d70)
at server/connection.c:42
#20 0x00007f2d234cbd6f in h2_c2_process (c2=0x7f2c88004d70,
thread=0x5586acd1e100, worker_id=<optimized out>) at
/usr/src/debug/httpd-2.4.65/modules/http2/h2_c2.c:715
#21 slot_run (thread=0x5586acd1e100, wctx=0x5586accf7898) at
/usr/src/debug/httpd-2.4.65/modules/http2/h2_workers.c:294
#22 0x00007f2d23fb9df1 in start_thread (arg=<optimized out>) at
pthread_create.c:448
#23 0x00007f2d2403ec8c in __GI___clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
The backtraces of other threads look very similar, except in one case there's a
run_cleanups() call between socache_dbm_retrieve() and database_cleanup():
#10 0x00007f2d24150a4e in run_cleanups (cref=<optimized out>) at
memory/unix/apr_pools.c:2666
#11 apr_pool_clear (pool=0x5586aca03818) at memory/unix/apr_pools.c:938
Full backtrace attached.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
