httpd(8) crash on amd64 -current

Florian Obser Thu, 11 Nov 2021 07:14:45 -0800


No idea how to reproduce this, I'm just running an httpd with debug
symbols and kern.nosuidcoredump=3
Pretty sure this is the crash various people mumbled about.


Smells like a use-after-fruit to me.

Core was generated by `httpd'.
Program terminated with signal SIGABRT, Aborted.
#0  thrkill () at /tmp/-:3
3       /tmp/-: No such file or directory.
(gdb) bt
#0  thrkill () at /tmp/-:3
#1  0x000009d1979a211e in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#2  0x000009d19798a726 in wrterror (d=0x9d230d35980,
    msg=0x9d19795b05d "modified chunk-pointer %p")
    at /usr/src/lib/libc/stdlib/malloc.c:307
#3  0x000009d19798e0cc in find_chunknum (d=0x0, info=<optimized out>, ptr=0x0,
    check=-236688) at /usr/src/lib/libc/stdlib/malloc.c:1063
#4  0x000009d19798ac89 in ofree (argpool=0x7f7ffffc66b0, p=0x9d1884d6a07,
    clear=0, check=<optimized out>, argsz=0)
    at /usr/src/lib/libc/stdlib/malloc.c:1409
#5  0x000009d19798a96b in free (ptr=0x9d1884d6a07)
    at /usr/src/lib/libc/stdlib/malloc.c:1470
#6  0x000009cf5d137288 in server_httpdesc_free (desc=0x9d1ff641600)
    at /usr/src/usr.sbin/httpd/server_http.c:113
#7  0x000009cf5d13c1a1 in server_close_http (clt=0x9d1ff645000)
    at /usr/src/usr.sbin/httpd/server_http.c:1088
#8  0x000009cf5d133afc in server_close (clt=0x9d1ff645000,
    msg=0x9d1ff633380 "malformed (400 Bad Request)")
    at /usr/src/usr.sbin/httpd/server.c:1306
#9  0x000009cf5d13890d in server_abort_http (clt=0x9d1ff645000, code=400,
    msg=0x9cf5d113dea "malformed")
    at /usr/src/usr.sbin/httpd/server_http.c:1077
#10 0x000009cf5d137c13 in server_read_http (bev=0x9d1ff61b800,
    arg=0x9d1ff645000) at /usr/src/usr.sbin/httpd/server_http.c:366
--Type <RET> for more, q to quit, c to continue without paging--
#11 0x000009d1f3766f29 in bufferevent_readcb (fd=<optimized out>,
    event=<optimized out>, arg=0x9d1ff61b800)
    at /usr/src/lib/libevent/evbuffer.c:140
#12 0x000009d1f3765b9f in event_process_active (base=0x9d1884c5c00)
    at /usr/src/lib/libevent/event.c:333
#13 event_base_loop (base=0x9d1884c5c00, flags=0)
    at /usr/src/lib/libevent/event.c:483
#14 0x000009cf5d131a11 in proc_run (ps=0x9d1884cc800, p=0x9cf5d148a70 <procs>,
    procs=0x9cf5d148b90 <procs>, nproc=2, run=0x9cf5d132100 <server_init>,
    arg=0x0) at /usr/src/usr.sbin/httpd/proc.c:604
#15 0x000009cf5d1320d2 in server (ps=0x9d1884cc800, p=0x9cf5d148a70 <procs>)
    at /usr/src/usr.sbin/httpd/server.c:87
#16 0x000009cf5d1303c5 in proc_init (ps=0x9d1884cc800,
    procs=0x9cf5d148a70 <procs>, nproc=2, debug=0, argc=5,
    argv=0x7f7ffffd6de8, proc_id=PROC_SERVER)
    at /usr/src/usr.sbin/httpd/proc.c:260
#17 0x000009cf5d1276f1 in main (argc=0, argv=0x7f7ffffd6de8)
    at /usr/src/usr.sbin/httpd/httpd.c:220

-- 
I'm not entirely sure you are real.

httpd(8) crash on amd64 -current

Reply via email to