Full_Name: David Kerry
Version: 2.4.6
OS: Debian/Linux 2.1 (Intel) w/2.0.36 kernel
Submission from: cr719912-a.ym1.on.wave.home.com (24.114.39.84)
I've been having alot of segmentation fault problems on a linux
webserver I've set up.
We're using:
apache 1.3.9
mod_ssl 2.4.6
mm 1.0.12
php 3.0.12
Jserv 1.0
Quick summary of the problem - users connecting to the ssl enabled
virtual host on this server get I/O errors and the logs show that
the apache process is dying with a segmentation fault (sig 11).
Only the ssl host is affected, the regular port 80 access is
unaffected. This problem seems to only happen after apache has
been restarted (apachectl restart) at least once, and has been sitting
idle for a number of hours.
I have tried the following cache/session options: DBM, Vendor DBM,
and shared-memory (MM). The result is still the same.
I've since recompiled everything with complete debug info, and gotten
a stack-backtrace:
#0 RSA_private_decrypt (flen=64, from=0x812aaa8
"G�q]k\2009\206U�)\n�\027e��X\002�8о��\nQ \tQ\017�<���g�A�$N#\226��ج��8�\224
{\2276a^d�\037V�V�*�\023",
to=0x812aaa8 ".....", rsa=0x810ae58, padding=1)
at rsa_lib.c:228
#1 0x402d9c9d in ssl3_get_client_key_exchange (s=0x8128418) at s3_srvr.c:1240
#2 0x402d7f79 in ssl3_accept (s=0x8128418) at s3_srvr.c:344
#3 0x402c92a8 in SSL_accept (s=0x8128418) at ssl_lib.c:603
#4 0x402c53a4 in ssl23_get_client_hello (s=0x8128418) at s23_srvr.c:498
#5 0x402c47a3 in ssl23_accept (s=0x8128418) at s23_srvr.c:159
#6 0x402c92a8 in SSL_accept (s=0x8128418) at ssl_lib.c:603
#7 0x402ac089 in ssl_hook_NewConnection (conn=0x81253f0) at
ssl_engine_kernel.c:229
#8 0x8061921 in new_connection (p=0x80e0a10, server=0x80b4930, inout=0x80e0a48,
remaddr=0xbffffbc8, saddr=0xbffffbd8, child_num=2) at http_main.c:3146
#9 0x8062a1d in child_main (child_num_arg=2) at http_main.c:4104
#10 0x8062cfc in make_child (s=0x80b4930, slot=2, now=941406076) at
http_main.c:4293
#11 0x80630ba in perform_idle_server_maintenance () at http_main.c:4457
#12 0x8063655 in standalone_main (argc=2, argv=0xbffffd4c) at http_main.c:4689
#13 0x8063dd3 in main (argc=2, argv=0xbffffd4c) at http_main.c:4944
Here's the relavent source line that it blows up at:
225 int RSA_private_decrypt(int flen, unsigned char *from, unsigned char
*to,
226 RSA *rsa, int padding)
227 {
228 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
229 }
The problem seems to be that the 'rsa' pointer passed to the
RSA_private_decrypt() routine contains bogus information in
the 'meth' field of its structure. This causes a jump off into
never-never land when it hits the above code (ie: rsa->meth->rsa_priv_dec
is a bad pointer).
Here's the contents of the rsa structure:
(gdb) p *rsa
$15 = {
pad = 0,
version = 0,
meth = 0x40358a98,
n = 0x810af38,
e = 0x8107f60,
d = 0x810b088,
p = 0x8107f88,
q = 0x810af20,
dmp1 = 0x810b340,
dmq1 = 0x810b440,
iqmp = 0x810b488,
ex_data = {
sk = 0x0,
dummy = 0
},
references = 2,
flags = 6,
_method_mod_n = 0x0,
_method_mod_p = 0x0,
_method_mod_q = 0x0,
bignum_data = 0x0,
blinding = 0x0
}
(gdb) p *rsa->meth
$16 = {
name = 0x21e5 <Address 0x21e5 out of bounds>,
rsa_pub_enc = 0x21e9,
rsa_pub_dec = 0x21f1,
rsa_priv_enc = 0x21f5,
rsa_priv_dec = 0x21fb,
rsa_mod_exp = 0x2203,
bn_mod_exp = 0x2209,
init = 0x220f,
finish = 0x221b,
flags = 8737,
app_data = 0x2225 <Address 0x2225 out of bounds>
}
After tracing the code back up the tree a bit, it seems this rsa
pointer is somehow stuffed into a certificate structure (s->cert->rsa_tmp).
It would appear that someone is either stomping on memory,
or just not initializing this structure before passing it around.
Since I'm not familiar enough with the code to trace this completely
through, I can't say for sure whether this is a mod_ssl problem,
or an OpenSSL problem.
Any help with this one would be much appreciated... it's driving me
nuts!
In the meantime, I'll be disabling the SSL session caching entirely
to see if that has any effect...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
