1288395 – httpd segfault when logrotate invoked

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1288395 - httpd segfault when logrotate invoked

Summary: httpd segfault when logrotate invoked

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.4
Assignee:	Luboš Uhliarik
QA Contact:	Maryna Nalbandian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1289025 1298243 1420851 1465904 1466370 1473612
TreeView+	depends on / blocked

Reported:	2015-12-04 06:05 UTC by Hisanobu Okuda
Modified:	2021-07-11 16:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:	httpd-2.4.6-80.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 14:45:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Apache Bugzilla	57177	None	None	None	2019-07-17 06:25:40 UTC
Red Hat Knowledge Base (Solution)	3428081	None	None	None	2018-04-30 13:42:03 UTC
Red Hat Product Errata	RHBA-2018:0826	None	None	None	2018-04-10 14:47:51 UTC

Description Hisanobu Okuda 2015-12-04 06:05:49 UTC

Description of problem:
The httpd process dies with segfault when logrotate is invoked.

Version-Release number of selected component (if applicable):
httpd-2.4.6-31.el7_1.1.x86_64
logrotate-3.8.6-4.el7.x86_64

How reproducible:


Steps to Reproduce:
1. run logrotate

Actual results:


Expected results:


Additional info:

Comment 1 Jan Kaluža 2015-12-04 06:44:48 UTC

What other httpd packages do you have installed? It does not happen to me with only "httpd" and "mod_ssl" installed on my system with clean configuration. What's the httpd configuration you use?

Can you get a coredump from crash? The description how to do that is here: https://access.redhat.com/solutions/1467

Comment 2 Hisanobu Okuda 2015-12-04 07:32:40 UTC

Reviewing my costomer's core file, I found the function handler pfn_ap_logio_get_last_bytes has a wrong value. The backtrace is as follows:-


(gdb) bt
#0  0x00007f633cd0ab60 in ?? ()
#1  0x00007f6343b377d2 in ap_increment_counts (sb=0x7f6344a004d0, r=r@entry=0x7f6344a06310) at scoreboard.c:369
...


The function ap_increment_counts is :-


359: AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
360: {
361:     worker_score *ws;
362:     apr_off_t bytes;
363: 
364:     if (!sb)
365:         return;
366: 
367:     ws = &ap_scoreboard_image->servers[sb->child_num][sb->thread_num];
368:     if (pfn_ap_logio_get_last_bytes != NULL) {
369:        bytes = pfn_ap_logio_get_last_bytes(r->connection);


And the handler pfn_ap_logio_get_last_bytes is :-


(gdb) print pfn_ap_logio_get_last_bytes
$9 = (apr_OFN_ap_logio_get_last_bytes_t *) 0x7f633cd0ab60


It looks pfn_ap_logio_get_last_bytes points a head of a valid function, but in fact, it is a wrong value.


(gdb) x 0x7f633cd0ab60
0x7f633cd0ab60: Cannot access memory at address 0x7f633cd0ab60


Calling non-existent memory address killed the process with segfault. This is likely caused by unloading a library which should have a valid function where pfn_ap_logio_get_last_bytes points. The problem is "what is unloaded?".

I attached a debugger to my httpd process using the configs and noticed that pfn_ap_logio_get_last_bytes points the function <ap_logio_get_last_bytes> in mod_logio.so. 
Then I reviewed again the core file, and found pfn_ap_logio_get_last_bytes in the core also points somewhere in mod_logio.so as well:-


(gdb) print pfn_ap_logio_get_last_bytes
$1 = (apr_OFN_ap_logio_get_last_bytes_t *) 0x7f633cd0ab60

(gdb) info sharedlibrary 
From                To                  Syms Read   Shared Object Library
...
0x00007f633cb14a30  0x00007f633cb14de4  Yes         ./etc/httpd/modules/mod_logio.so <===where pfn_ap_logio_get_last_bytes points


The customer is using logrotate command to rotate logs. It invokes `systemctl reload httpd.service`, and `systemctl reload httpd.service` invokes `/usr/sbin/httpd $OPTIONS -k graceful`. Searching for "httpd logrotate segfault", you can find some reports that say the "graceful" command is problematic. In fact, changing `systemctl reload httpd.service` to `systemctl restart httpd.service`, the issue is gone on the customer's setup.

Comment 4 Hisanobu Okuda 2015-12-04 07:46:26 UTC

Jan, honestly to say, I could not reproduce the issue, but theoretically it can happen in the race condition that mod_logio is unloaded during an access is processed. It is caused by unloading mod_logio, you can (theoretically) reproduce the issue without any additional packages.

Comment 5 Jan Kaluža 2015-12-04 08:46:24 UTC

Thanks for the additional information. I've found out this can be fixed by following upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1668532

Comment 6 Jan Kaluža 2015-12-04 08:52:53 UTC

There's also follow-up commit:

https://svn.apache.org/viewvc?view=revision&revision=1668553

Comment 21 errata-xmlrpc 2018-04-10 14:45:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0826

Note You need to log in before you can comment on or make changes to this bug.