Bug 62983

Summary: apache latest version cause segmentation fault when enable php5 and php7 in the same time
Product: Apache httpd-2 Reporter: 0xd0ff9 <dinhbaouit>
Component: AllAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED INVALID    
Severity: trivial    
Priority: P2    
Version: 2.4.37   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: poc in apache 2.4.37

Description 0xd0ff9 2018-12-06 03:59:09 UTC
Created attachment 36294 [details]
poc in apache 2.4.37

all info please download the vagrant box:
https://drive.google.com/file/d/1uQELpsiBaXOAZpXtcHDdciZ_waXHShi8/view?usp=sharing
Comment 1 Eric Covener 2018-12-06 14:06:42 UTC
Please share backtraces and loaded libraries from the resulting core, as text in the bug.
Comment 2 0xd0ff9 2018-12-07 03:02:05 UTC
(In reply to Eric Covener from comment #1)
> Please share backtraces and loaded libraries from the resulting core, as
> text in the bug.

enmod php7.2 first, then enmod php5

Core dump file: 
https://drive.google.com/file/d/1a-POH6PWldsyAZiGMcqfxctfW7H_bA1B/view?usp=sharing

Backtrace:

vagrant@vagrant-ubuntu-trusty-64:~$ sudo apachectl debug
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/apache2...(no debugging symbols found)...done.
warning: File "/home/vagrant/.gdbinit" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
	add-auto-load-safe-path /home/vagrant/.gdbinit
line to your configuration file "$HOME/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "$HOME/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
(gdb) source /home/vagrant/peda
/home/vagrant/peda: Success.
(gdb) source /home/vagrant/peda/peda.py
gdb-peda$ bt
No stack.
gdb-peda$ run -k start
Starting program: /usr/sbin/apache2 -k start
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.2.15. Set the 'ServerName' directive globally to suppress this message

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff3e96a50 (<gc_collect_cycles>:	push   r15)
RBX: 0x7fffffffd180 --> 0x7ffff1e8debe (push   r15)
RCX: 0x5f ('_')
RDX: 0x7ffff2058cc0 (<zend_gc_collect_cycles>:	push   r15)
RSI: 0x7ffff212b6d7 ("E_ZEND_DTRACE")
RDI: 0x7fffffffee86 ("ERNAME=root")
RBP: 0x1 
RSP: 0x7fffffffd120 --> 0x0 
RIP: 0x7ffff2030d60 (mov    QWORD PTR [rax],rdx)
R8 : 0xffff 
R9 : 0x1 
R10: 0x7ffff71b6440 (<__strncmp_sse2+4608>:	pxor   xmm0,xmm0)
R11: 0xc ('\x0c')
R12: 0x7ffff4654260 --> 0x7ffff2132003 ("apache2handler")
R13: 0x7ffff241a280 --> 0x7ffff2132003 ("apache2handler")
R14: 0x7ffff7fba028 --> 0x7ffff7ff2028 --> 0x7ffff7ff4028 --> 0x7ffff7ff8028 --> 0x0 
R15: 0x7ffff241a3a0 --> 0x133c7de000000a8
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff2030d4b:	lea    rdx,[rip+0x27f6e]        # 0x7ffff2058cc0 <zend_gc_collect_cycles>
   0x7ffff2030d52:	mov    QWORD PTR [rax],0x0
   0x7ffff2030d59:	mov    rax,QWORD PTR [rip+0x3d2f90]        # 0x7ffff2403cf0
=> 0x7ffff2030d60:	mov    QWORD PTR [rax],rdx
   0x7ffff2030d63:	call   0x7ffff20d6d10
   0x7ffff2030d68:	mov    edi,0x3f
   0x7ffff2030d6d:	call   0x7ffff1e8c260 <malloc@plt>
   0x7ffff2030d72:	test   rax,rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd120 --> 0x0 
0008| 0x7fffffffd128 --> 0x1 
0016| 0x7fffffffd130 --> 0x7ffff4654260 --> 0x7ffff2132003 ("apache2handler")
0024| 0x7fffffffd138 --> 0x7ffff1fcf34b (<php_module_startup+379>:	lea    rsi,[rip+0x1132a6]        # 0x7ffff20e25f8)
0032| 0x7fffffffd140 --> 0x1558092c0 
0040| 0x7fffffffd148 --> 0x555555809160 --> 0x5555558097c0 --> 0x7ffff72aee73 ("gethostbyaddr_r")
0048| 0x7fffffffd150 --> 0x2d746e610000007c ('|')
0056| 0x7fffffffd158 ("ubuntu-trusty-64")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff2030d60 in ?? () from /usr/lib/apache2/modules/libphp7.2.so
gdb-peda$ bt
#0  0x00007ffff2030d60 in ?? () from /usr/lib/apache2/modules/libphp7.2.so
#1  0x00007ffff1fcf34b in php_module_startup () from /usr/lib/apache2/modules/libphp7.2.so
#2  0x00007ffff20d81e5 in ?? () from /usr/lib/apache2/modules/libphp7.2.so
#3  0x00007ffff20d8dd5 in ?? () from /usr/lib/apache2/modules/libphp7.2.so
#4  0x00005555555ad259 in ap_run_post_config ()
#5  0x000055555558b398 in main ()
#6  0x00007ffff714df45 in __libc_start_main (main=0x55555558aaf0 <main>, argc=0x3, 
    argv=0x7fffffffe688, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe678) at libc-start.c:287
#7  0x000055555558b6af in _start ()
gdb-peda$
Comment 3 Joe Orton 2018-12-07 10:31:56 UTC
You'll get symbol conflicts trying to load two PHP .so files into the same httpd.  It's not supported, don't do it.  Use php-fpm & fastcgi and you can run any number of PHPs simultaneously from a single httpd instance.
Comment 4 0xd0ff9 2018-12-07 10:40:40 UTC
But, If users miss handle do this action, apache2 will crash always and difficult to fix
Comment 5 Eric Covener 2018-12-07 12:06:31 UTC
These modules aren't even from the ASF.