Summary: | Embedded pcre causes runtime segfault | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Roberto C. Sanchez <roberto> |
Component: | All | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED LATER | ||
Severity: | normal | Keywords: | MassUpdate |
Priority: | P2 | ||
Version: | 2.2.3 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Mac OS X 10.4 |
Description
Roberto C. Sanchez
2006-12-29 12:35:02 UTC
Please execute the following additional gdb commands in the case of a crash: bt full info frame info registers p *cd This will help us to find out which of the variables points to the offending address (0x7fffd69b in the case below). $ gdb /usr/local/apache2-crash/bin/httpd GNU gdb 6.1-20040303 (Apple version gdb-437) (Fri Jan 13 18:45:48 GMT 2006) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ........ done (gdb) run -k start Starting program: /usr/local/apache2-crash/bin/httpd -k start Reading symbols for shared libraries ......+++ done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x7fffd5fb 0x0002da58 in compile_regex (options=0, oldims=0, brackets=0xbfffef94, codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0, skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4, cd=0xbfffef48) at pcre.c:2463 2463 for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_digit]; (gdb) bt full #0 0x0002da58 in compile_regex (options=0, oldims=0, brackets=0xbfffef94, codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0, skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4, cd=0xbfffef48) at pcre.c:2463 cbits = (const uschar *) 0xbfffe8c8 "\030íÿ¿" possessive_quantifier = 0 is_quantifier = 0 subreqbyte = -1866673032 subfirstbyte = -1073746528 class_lastchar = 25465965 skipbytes = 16 repeat_max = 0 bravalue = 0 condcount = -1073747768 groupsetfirstbyte = 0 repeat_type = 0 req_caseopt = 0 tempcode = (uschar *) 0x8fe53840 "øPà\217¦&à\2178Qà\217¦6à\217\2046à\217ä\027à\217h7à\217\214Qà\2176'à\217" inescq = 0 ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" tempptr = (const uschar *) 0x9114b3dc "/usr/lib/libSystem.B.dylib" classbits = "\000\000\000\000\000\020\000\b", '\0' <repeats 23 times> repeat_min = 0 after_manual_callout = 0 c = 16 op_type = -1073747768 reqvary = 0 tempreqvary = 0 ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" code = (uschar *) 0x5d <Address 0x5d out of bounds> last_branch = (uschar *) 0x400a1a "Q" reverse_count = (uschar *) 0x0 firstbyte = -2 reqbyte = -2 branchfirstbyte = -2 branchreqbyte = -2 bc = { outer = 0xbfffeaa4, current = 0x400a1a "Q" } bcptr = (branch_chain *) 0x5d #1 0x0002d6bf in compile_regex (options=0, oldims=0, brackets=0xbfffef94, codeptr=0xbfffef90, ptrptr=0xbfffef8c, errorptr=0xbfffefec, lookbehind=0, skipbytes=0, firstbyteptr=0xbfffef9c, reqbyteptr=0xbfffef98, bcptr=0x0, cd=0xbfffef48) at pcre.c:3666 possessive_quantifier = -1880803264 is_quantifier = 0 subreqbyte = -1881125354 subfirstbyte = 0 class_lastchar = 25465965 skipbytes = 0 repeat_max = 0 bravalue = 81 condcount = -1073747768 groupsetfirstbyte = 0 repeat_type = 0 req_caseopt = 0 tempcode = (uschar *) 0x400a1a "Q" inescq = 0 ptr = (const uschar *) 0x1849469 "[^;,]+)|[;,][ \t]*Apache=([^;,]+)" tempptr = (const uschar *) 0x0 classbits = "\000\000\000\000\000\000\000\000H$\000\220â\000\000\000\003\000\000\000èêÿ¿\217&\000\220\000\000\200\001" repeat_min = 0 after_manual_callout = 0 c = 0 op_type = -1073747768 reqvary = 0 tempreqvary = 0 ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" code = (uschar *) 0x5d <Address 0x5d out of bounds> last_branch = (uschar *) 0x400a08 "P" reverse_count = (uschar *) 0x0 firstbyte = -2 reqbyte = -2 branchfirstbyte = 65 branchreqbyte = 101 bc = { outer = 0x0, current = 0x400a08 "P" } bcptr = (branch_chain *) 0x5d #2 0x0003010c in pcre_compile (pattern=0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", options=0, errorptr=0xbfffefec, erroroffset=0xbfffefe8, tables=0x3f2a0 "") at pcre.c:5509 re = (real_pcre *) 0x4009e0 length = 182 c = 44 firstbyte = 46 reqbyte = 2118144 bracount = 1 branch_extra = 0 branch_newextra = 93 item_count = 26 name_count = 0 max_name_size = 93 lastitemlength = 1 inescq = 0 brastackptr = 0 size = 0 code = (uschar *) 0x400a08 "P" codestart = (const uschar *) 0x400a08 "P" ptr = (const uschar *) 0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)" compile_block = { lcc = 0x3f2a0 "", fcc = 0x3f3a0 "", cbits = 0x3f4a0 "", ctypes = 0x3f5e0 "\200", start_code = 0x400a08 "P", start_pattern = 0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", name_table = 0x400a08 "P", names_found = 0, name_entry_size = 3, top_backref = 0, backref_map = 0, req_varyopt = 0, nopartial = 0 } brastack = {142, 25465536, -1073747000, -1881125354, 0 <repeats 12 times>, -1073745932, -1073745872, 25465536, 0, 0, 0, 0, -1881125179, 0, 25465536, -1073745896, -1881125075, 0, 0, 0, -1881125628, -1073745680, 0, -1073746904, 19822, 0, 0, 0, 0, 0, 0, 0, 2103264, 2103264, 0, 1, -1880969622, 2103264, 0, -1073746840, -1880928605, 8388608, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 302448, 2103264, 0, -1073746808, -1881105009, 8388608, 0, 0, 2113664, 2113664, 2103296, 0, 3154053, 2103296, 2103584, 0, 2, -1073745488, 654696, 11, -1880947369, 3835618, 3466792, 172, -1881077209, 5942910, 3492403, 48, -1881089198, -1879046316, -1073746720, 13, -1880969622, 1835166060, 5, 24, -1880928605, 1831747, 46, 672912, -1881098623, 23, 48, 672912, 655464, 1, 3470204, 3272944, 3481620, 173, 171, 0, -1880947369, 1, 2, 0, -1880928605, 2118512, 48, -1073746296, -1879016158, 4196784, 48, 48, -1881131634, 2099984, 2, 0, 131072, -1073746260, 653400, 23, -1881076672, 5942857, 675941, -1073746504, 2118544, 2118544, 48, 0, -1880947369, 1, 651528, 11, -1881076672, 5942826, 707312, 0, 5251095, 16772780, 211008, 672912, 653124, 47, 3470204, 3272944, 3481620, 278, 278, 203, -1881077209, 5942928, 3481856, 672912, 651396, 23, 0, 1270440, -1881131938, 2097248, 0, -1073746312, -1881131634, 2097248, 653400, 0, 0, -1073746084, 98427, 672912, 655464, -1880982564, -1512901655, -1881085377, -1881084870, -2035352088, 834625679, -1512901655, 834625791, 5931118, 1, -1073746264, -1881084176, -1880803264, 5942857, -1073746280, -1881131329} bralenstack = "\000ïÿ¿\006\000\000\000èîÿ¿\2165à\217\020\v \000ÀÛ4\000øîÿ¿[ðà\217ó\000 \000Xø\t\000\\ïÿ¿¿6à\217Ò{â\217é¢\210Ö?êà\217:ìà\217¥W¯\206\217èR¯é¢\210ÖÿèR¯ÿ\200Z\000\bñ\t\000\214ïÿ¿Xø\t\000@8å\217\220®Z\000\bïÿ¿0õà\217I®Z\000 RZ\000xïÿ¿iöà\217àQ \000n\200Z\000 RZ\000I®Z\000fS\000\000`\000 \000@8å\2170õà\217\210®Z\000 RZ\000¨ïÿ¿n\000\000\000ÖQ \000\017\200Z\000 RZ\000*®Z\000\a\000\000\000\020Z" #3 0x00008468 in ap_regcomp (preg=0x1849490, pattern=0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util_pcre.c:135 errorptr = 0x0 erroffset = 0 preg = (ap_regex_t *) 0x1849490 pattern = 0x5d <Address 0x5d out of bounds> cflags = 93 #4 0x0000539f in ap_pregcomp (p=0x1806418, pattern=0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util.c:268 preg = (ap_regex_t *) 0x1849490 p = (struct apr_pool_t *) 0x1806418 pattern = 0x5d <Address 0x5d out of bounds> cflags = 93 #5 0x005a6b18 in set_and_comp_regexp (dcfg=0x1849448, p=0x1806418, cookie_name=0x5a6ff4 "Apache") at mod_usertrack.c:203 danger_chars = 0 sp = 0x0 #6 0x005a6c38 in make_cookie_dir (p=0x1806418, d=0x0) at mod_usertrack.c:268 p = (struct apr_pool_t *) 0x1806418 #7 0x0001a3d4 in ap_single_module_configure (p=0x1806418, s=0x180bda0, m=0x5a7020) at config.c:2031 m = (module *) 0x5a7020 #8 0x00028ea4 in load_module (cmd=0xbffff618, dummy=0xbffff464, modname=0x1849288 "usertrack_module", filename=0x18492a0 "modules/mod_usertrack.so") at mod_so.c:294 modhandle = (struct apr_dso_handle_t *) 0x18492f8 modsym = 0x5a7020 modp = (module *) 0x5a7020 szModuleFile = 0x18492c0 "/usr/local/apache2-crash/modules/mod_usertrack.so" modi = (ap_module_symbol_t *) 0x1838508 modie = (ap_module_symbol_t *) 0x5d i = 5926944 error = 0x0 dummy = (void *) 0x5d filename = 0x0 #9 0x00017a2e in invoke_cmd (cmd=0x40060, parms=0xbffff618, mconfig=0xbffff464, args=0x183d44c "") at config.c:768 w = 0x40060 "(Å\003" w2 = 0x5d <Address 0x5d out of bounds> w3 = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" errmsg = 0x0 #10 0x00018532 in ap_build_config_sub (p=0x180b878, temp_pool=0x184946d, l=0xbfffe8c8 "\030íÿ¿", parms=0xbffff618, current=0xbffff4cc, curr_parent=0xbffff4c8, conftree=0x3f0a8) at config.c:1419 ml = (ap_mod_list *) 0x180b878 dir = 0x180b878 "" args = 0x183d423 "usertrack_module modules/mod_usertrack.so" sub_tree = (ap_directive_t *) 0x0 retval = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" args = 0x183d423 "usertrack_module modules/mod_usertrack.so" cmd_name = 0x1849218 "LoadModule" mod = (module *) 0x3f1e0 cmd = (const command_rec *) 0x5d #11 0x00018afd in ap_build_config (parms=0xbffff618, p=0x1806418, temp_pool=0x1836418, conftree=0x3f0a8) at config.c:1202 current = (ap_directive_t *) 0x183a0a0 curr_parent = (ap_directive_t *) 0x0 l = 0x183d418 "LoadModule usertrack_module modules/mod_usertrack.so" errmsg = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)" conftree = (ap_directive_t **) 0x3f0a8 #12 0x000192c8 in process_resource_config_nofnmatch (s=0x180bda0, fname=0x1838ef0 "/usr/local/apache2-crash/conf/httpd.conf", conftree=0x3f0a8, p=0x1806418, ptemp=0x1836418, depth=0) at config.c:1612 parms = { info = 0x0, override = 150, limited = -1, limited_xmethods = 0x0, xlimited = 0x0, config_file = 0x1839fb0, directive = 0x0, pool = 0x1806418, temp_pool = 0x1836418, server = 0x180bda0, path = 0x0, cmd = 0x40060, context = 0x0, err_directive = 0x1849228, override_opts = 239 } cfp = (ap_configfile_t *) 0x1839fb0 error = 0x5d <Address 0x5d out of bounds> rv = 25465965 #13 0x000195d0 in ap_process_resource_config (s=0x180bda0, fname=0x1838ef0 "/usr/local/apache2-crash/conf/httpd.conf", conftree=0x3f0a8, p=0x1806418, ptemp=0x1836418) at config.c:1644 fname = 0x1838ef0 "/usr/local/apache2-crash/conf/httpd.conf" dirp = (struct apr_dir_t *) 0x0 dirent = { pool = 0x18, valid = 25, protection = 40, filetype = 4294967295, user = 4294967295, group = 4294967295, inode = 4294967295, device = 232508, nlink = 263868, size = 436166814044096, csize = 25398056, atime = 436384783398840, mtime = 939553087027116, ctime = 137439172227, fname = 0x1806418 "\030D\200\001\030d\204\001", name = 0xef <Address 0xef out of bounds>, filehand = 0x1808450 } current = 25399024 candidates = (apr_array_header_t *) 0x5 rv = 25465965 path = 0x200080 "0\002 " finfo = { pool = 0x18, valid = 25, protection = 40, filetype = 4294967295, user = 4294967295, group = 4294967295, inode = 4294967295, device = 232508, nlink = 263868, size = 436166814044096, csize = 25398056, atime = 436384783398840, mtime = 939553087027116, ctime = 137439172227, fname = 0x1806418 "\030D\200\001\030d\204\001", name = 0xef <Address 0xef out of bounds>, filehand = 0x1808450 } dirp = (struct apr_dir_t *) 0x0 dirent = { pool = 0x18, valid = 25, protection = 40, filetype = 4294967295, user = 4294967295, group = 4294967295, inode = 4294967295, device = 232508, nlink = 263868, size = 436166814044096, csize = 25398056, atime = 436384783398840, mtime = 939553087027116, ctime = 137439172227, fname = 0x1806418 "\030D\200\001\030d\204\001", name = 0xef <Address 0xef out of bounds>, filehand = 0x1808450 } candidates = (apr_array_header_t *) 0x5 path = 0x200080 "0\002 " dirp = (struct apr_dir_t *) 0x0 dirent = { pool = 0x18, valid = 25, protection = 40, filetype = 4294967295, user = 4294967295, group = 4294967295, inode = 4294967295, device = 232508, nlink = 263868, size = 436166814044096, csize = 25398056, atime = 436384783398840, mtime = 939553087027116, ctime = 137439172227, fname = 0x1806418 "\030D\200\001\030d\204\001", name = 0xef <Address 0xef out of bounds>, filehand = 0x1808450 } candidates = (apr_array_header_t *) 0x5 path = 0x200080 "0\002 " dirp = (struct apr_dir_t *) 0x0 dirent = { pool = 0x18, valid = 25, protection = 40, filetype = 4294967295, user = 4294967295, group = 4294967295, inode = 4294967295, device = 232508, nlink = 263868, size = 436166814044096, csize = 25398056, atime = 436384783398840, mtime = 939553087027116, ctime = 137439172227, fname = 0x1806418 "\030D\200\001\030d\204\001", name = 0xef <Address 0xef out of bounds>, filehand = 0x1808450 } candidates = (apr_array_header_t *) 0x5 path = 0x200080 "0\002 " #14 0x0001a1e3 in ap_read_config (process=0x18044a0, ptemp=0x1836418, filename=0x35674 "conf/httpd.conf", conftree=0x3f0a8) at config.c:2004 confname = 0x5d <Address 0x5d out of bounds> error = 0x5d <Address 0x5d out of bounds> p = (struct apr_pool_t *) 0x1806418 s = (server_rec *) 0x180bda0 process = (process_rec *) 0x1838b28 #15 0x0000326a in main (argc=3, argv=0xbffff940) at main.c:610 c = 0 '\0' configtestonly = 0 confname = 0x35674 "conf/httpd.conf" def_server_root = 0x35684 "/usr/local/apache2-crash" temp_error_log = 0x0 error = 0x5d <Address 0x5d out of bounds> process = (process_rec *) 0x18044a0 server_conf = (server_rec *) 0x18044a0 pglobal = (struct apr_pool_t *) 0x1804418 pconf = (struct apr_pool_t *) 0x1806418 plog = (struct apr_pool_t *) 0x1834418 ptemp = (struct apr_pool_t *) 0x1836418 pcommands = (struct apr_pool_t *) 0x1808418 opt = (apr_getopt_t *) 0x18084b0 rv = 258216 optarg = 0x79645f5f <Address 0x79645f5f out of bounds> (gdb) info frame Stack level 0, frame at 0xbfffe950: eip = 0x2da58 in compile_regex (pcre.c:2463); saved eip 0x2d6bf called by frame at 0xbfffeaf0 source language c. Arglist at 0xbfffe948, args: options=0, oldims=0, brackets=0xbfffef94, codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0, skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4, cd=0xbfffef48 Locals at 0xbfffe948, Previous frame's sp is 0xbfffe950 Saved registers: ebx at 0xbfffe93c, ebp at 0xbfffe948, esi at 0xbfffe940, edi at 0xbfffe944, eip at 0xbfffe94c (gdb) info registers eax 0x5d 93 ecx 0xbfffe8c8 -1073747768 edx 0x184946d 25465965 ebx 0x2d0e7 184551 esp 0xbfffe7b0 0xbfffe7b0 ebp 0xbfffe948 0xbfffe948 esi 0xbfffecf4 -1073746700 edi 0x10 16 eip 0x2da58 0x2da58 eflags 0x10246 66118 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 (gdb) p *cd $1 = { lcc = 0x3f2a0 "", fcc = 0x3f3a0 "", cbits = 0x3f4a0 "", ctypes = 0x3f5e0 "\200", start_code = 0x400a08 "P", start_pattern = 0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", name_table = 0x400a08 "P", names_found = 0, name_entry_size = 3, top_backref = 0, backref_map = 0, req_varyopt = 0, nopartial = 0 } Hope this helps. Thanks for the quick update, but to be honest at the moment I have no idea why this happens. No problem. I don't understand either. However, it appears that the embedded version of pcre in the httpd source is version 5.0, which is now over two years old. I have apache successfully working with the latest upstream, version 7.0. Of course, this would need to be tested thouroughly to ensure that it does not introduce any regressions. I'd recommend updating the pcre included with httpd. This is an instance of a frequently-recurring problem that comes with bundling *any* PCRE version. The solution is to unbundle it. is the 'solution' here to check at compile time on OS/X and refuse to build unless the person has specified a external pcre? The bug is marked as needsinfo. what other information is required? Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |