Red Hat Bugzilla – Bug 1158005
OpenLDAP crash in NSS shutdown handling
Last modified: 2016-09-05 10:09:43 EDT
Description of problem: httpd 2.4 reported segfault in nss_ShutdownShutdownList. The back trace is :- Program terminated with signal 11, Segmentation fault. #0 0x00007f09fc9736f0 in ?? () (gdb) bt #0 0x00007f09fc9736f0 in ?? () #1 0x00007f09ffac2774 in nss_ShutdownShutdownList () at nssinit.c:1049 #2 nss_Shutdown () at nssinit.c:1077 #3 0x00007f09ffac2a53 in NSS_ShutdownContext (context=0x7f0a12717f90) at nssinit.c:1214 #4 0x00007f0a006d1616 in Curl_nss_cleanup () at nss.c:980 #5 0x00007f0a006c8e59 in Curl_ssl_cleanup () at sslgen.c:189 #6 0x00007f0a006ba9a5 in curl_global_cleanup () at easy.c:322 #7 0x00007f0a009059b8 in zm_shutdown_curl (type=<optimized out>, module_number=28) at /usr/src/debug/php-5.4.16/ext/curl/interface.c:959 #8 0x00007f0a01ece297 in module_destructor (module=0x7f0a12107190) at /usr/src/debug/php-5.4.16/Zend/zend_API.c:2297 #9 0x00007f0a01ed3595 in zend_hash_apply_deleter (ht=ht@entry=0x7f0a022c7220 <module_registry>, p=0x7f0a12107130) at /usr/src/debug/php-5.4.16/Zend/zend_hash.c:650 #10 0x00007f0a01ed4dc8 in zend_hash_graceful_reverse_destroy (ht=0x7f0a022c7220 <module_registry>) at /usr/src/debug/php-5.4.16/Zend/zend_hash.c:687 #11 0x00007f0a01eccadc in zend_destroy_modules () at /usr/src/debug/php-5.4.16/Zend/zend_API.c:1832 #12 0x00007f0a01ec67ae in zend_shutdown () at /usr/src/debug/php-5.4.16/Zend/zend.c:820 #13 0x00007f0a01e6755b in php_module_shutdown () at /usr/src/debug/php-5.4.16/main/main.c:2367 #14 0x00007f0a01e67619 in php_module_shutdown_wrapper (sapi_globals=<optimized out>) at /usr/src/debug/php-5.4.16/main/main.c:2335 #15 0x00007f0a01f73231 in php_apache_child_shutdown (tmp=<optimized out>) at /usr/src/debug/php-5.4.16/sapi/apache2handler/sapi_apache2.c:398 #16 0x00007f0a0ecc71ae in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352 #17 apr_pool_destroy (pool=0x7f0a12337048) at memory/unix/apr_pools.c:814 #18 0x00007f0a0596f21e in clean_child_exit (code=code@entry=0) at prefork.c:218 #19 0x00007f0a0596f6c7 in child_main (child_num_arg=child_num_arg@entry=15) at prefork.c:725 #20 0x00007f0a0596fa26 in make_child (s=0x7f0a11f90348, slot=15) at prefork.c:800 #21 0x00007f0a059706be in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:902 #22 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1090 #23 0x00007f0a0fff30fe in ap_run_mpm (pconf=0x7f0a11f65138, plog=0x7f0a11f92358, s=0x7f0a11f90348) at mpm_common.c:96 #24 0x00007f0a0ffec726 in main (argc=2, argv=0x7fff152a8158) at main.c:777 (gdb) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Found the nssShutdownList.funcs[1].func points a wrong address. (gdb) up #1 0x00007f09ffac2774 in nss_ShutdownShutdownList () at nssinit.c:1049 1049 nssinit.c: No such file or directory. (gdb) print nssShutdownList.peakFuncs $1 = 2 (gdb) print nssShutdownList.funcs[0] $2 = { func = 0x7f0a000189a0 <ssl_ShutdownLocks>, <<=== this is OK. appData = 0x0 } (gdb) print nssShutdownList.funcs[1] $3 = { func = 0x7f09fc9736f0, <<============= WRONG! appData = 0x0 } (gdb) But I have no idea to find the root cause why the wrong pointer is stored.
Please supply steps to reproduce, package versions, etc, per the standard bugzilla template.
Created attachment 951337 [details] installed-rpms
Created attachment 1013854 [details] patch v1
The commit below modifies the patch for this bug, so that correct __atribute__ ((destructor)) ordering is used. Incorrect destructor ordering was discovered as a regression reported in bug #1231228. http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=rhel-7.2&id=a0cc331d5f354b4aef0669977e164dce3b117463
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2131.html