apache segfaults with mod_authn_dbd when dbd_min is zero: # tail -f error.log [Thu Aug 02 16:27:37 2012] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/0.9.8o [Thu Aug 02 16:27:37 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8o configured -- resuming normal operations [Thu Aug 02 16:27:37 2012] [info] Server built: Aug 2 2012 15:37:02 [Thu Aug 02 16:27:37 2012] [debug] worker.c(1757): AcceptMutex: sysvsem (default: sysvsem) [Thu Aug 02 16:27:39 2012] [notice] child pid 13127 exit signal Segmentation fault (11) Config line for compiling against the Squeeze packages is: ./configure --prefix=/usr/local/apachetest --disable-echo --enable-cache --disable-include \ --enable-ssl --enable-http --enable-cgi --disable-imap --disable-userdir \ --enable-dbd --enable-authn-dbd --with-apr=/usr --with-apr-util=/usr \ --enable-so --enable-rewrite --disable-vhost-alias --with-mpm=worker # dpkg -l|grep apr ii libapr1 1.4.2-6+squeeze4 The Apache Portable Runtime Library ii libapr1-dev 1.4.2-6+squeeze4 The Apache Portable Runtime Library - Development Headers ii libaprutil1 1.3.9+dfsg-5 The Apache Portable Runtime Utility Library ii libaprutil1-dbd-mysql 1.3.9+dfsg-5 The Apache Portable Runtime Utility Library - MySQL Driver ii libaprutil1-dev 1.3.9+dfsg-5 The Apache Portable Runtime Utility Library - Development Headers httpd.conf: ############################################################### alapveto adatok begin ServerRoot "/usr/local/apachetest" Listen 50080 User nobody Group nogroup ServerAdmin tech@xxxxxxx.hu ServerName xxxxxxx.hu:80 DocumentRoot "/usr/local/apachetest/htdocs" DirectoryIndex index.html index.htm index.php ExtendedStatus on ServerTokens Prod ServerSignature Off DefaultType text/plain Timeout 30 Keepalive on MaxKeepAliveRequests 100 KeepAliveTimeout 5 UseCanonicalName Off AccessFilename .htaccess HostnameLookups off CoreDumpDirectory /tmp ############################################################### alapveto adatok end ############################################################### MPM begin ThreadLimit 10 ThreadsPerChild 1 ServerLimit 10 MaxClients 10 StartServers 1 MinSpareThreads 1 MaxSpareThreads 1 ThreadStackSize 131072 MaxRequestsPerChild 10000 ############################################################### MPM end #################################################################### mod_dbd begin DBDriver mysql DBDParams "host=mysql.xxxxxxx.hu dbname=xxxxxxx user=xxxxxxx password=xxxxxxx" DBDMin 0 DBDKeep 5 DBDMax 10 DBDExptime 60 #################################################################### mod_dbd end ############################################################### access control begin <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory> <Directory /usr/local/apachetest/htdocs> Order allow,deny Allow from all AuthType Basic AuthName "My Server" AuthBasicProvider dbd # core authorization configuration Require valid-user AuthDBDUserPWQuery "SELECT pd_password FROM w3_protecteddirs WHERE pd_username = %s" </Directory> <FilesMatch "^\.ht"> Order allow,deny Deny from all Satisfy All </FilesMatch> ############################################################### access control end ################################################################### logging begin PidFile "logs/httpd.pid" ErrorLog "logs/error.log" LogLevel debug LogFormat "%h %V %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" TransferLog "logs/access.log" #################################################################### logging end If I increase DBD_Min to 1, Apache does not crash.
However DBD_Min 0 is definetly a problem, and with a higher value authentication works fine, I can still reproduce the segfaults by pushing F5 (refresh) in the browser for a few minutes. I believe this is a stack issue, as I increase ThreadStackSize it works OK, no segfaults. I would recommend mentioning this in documentation. 256KByte seems to be enough.
Nevertheles, Apache even segfaults, when DBD is not configured at all in rsrc_conf and an attacker has the ability to upload .htaccess files with content of AuthBasicProvider dbd and AllowOverride AuthConfig is on.
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.