The mod_auth_kerb module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and thread crashes no longer occur under these circumstances.
Created attachment 520390[details]
error_log.gz
Description of problem:
mod_auth_kerb doesn't work properly with worker MPM.
There are the following errors in the log (please find whole error_log attached):
[Mon Aug 29 08:23:55 2011] [notice] child pid 12884 exit signal Bus error (7)
[Mon Aug 29 08:23:57 2011] [notice] child pid 12938 exit signal Segmentation fault (11)
[Mon Aug 29 08:24:02 2011] [notice] child pid 12968 exit signal Segmentation fault (11)
[Mon Aug 29 08:24:03 2011] [notice] child pid 12970 exit signal Segmentation fault (11)
*** glibc detected *** /usr/sbin/httpd.worker: double free or corruption (fasttop): 0x00002aaabc000fe0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2af75241c45f]
/lib64/libc.so.6(cfree+0x4b)[0x2af75241c8bb]
/usr/lib64/libkrb5.so.3[0x2af75378a9e8]
/etc/httpd/modules/mod_auth_kerb.so[0x2af75ab5520e]
/usr/sbin/httpd.worker(ap_run_check_user_id+0x72)[0x2af7504a3652]
/usr/sbin/httpd.worker(ap_process_request_internal+0x237)[0x2af7504a4857]
/usr/sbin/httpd.worker(ap_process_request+0x198)[0x2af7504b6058]
/usr/sbin/httpd.worker[0x2af7504b32a0]
/usr/sbin/httpd.worker(ap_run_process_connection+0x72)[0x2af7504af632]
/usr/sbin/httpd.worker[0x2af7504baaf7]
/lib64/libpthread.so.0[0x2af751f9073d]
/lib64/libc.so.6(clone+0x6d)[0x2af75247e4bd]
======= Memory map: ========
Version-Release number of selected component (if applicable):
mod_auth_kerb-5.1-3.el5
httpd-2.2.3-53.el5
How reproducible:
MPM worker, mod_auth_kerb authentication with "KrbMethodK5Passwd on".
ab -n 1000 -c 100 -A username:password http://hostname/
Actual results:
Lot of "Failed requests" in the ab's output. Server error_log is full of errors.
If user try to open real page (with images, styles etc.) in browser, it looks broken - lot of images are missing etc.
Expected results:
No failed requests. No errors in the error_log.
Additional info:
It seems to be fixed in upstream since Oct 2 2008:
http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.141&r2=1.142
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
The mod_auth_kerb module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and thread crashes no longer occur under these circumstances.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2013-0078.html