Bug 1305843 - Apache HTTPD core-dumps with mod_security enabled
Apache HTTPD core-dumps with mod_security enabled
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_security (Show other bugs)
7.2
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE - Apps
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 06:34 EST by Gerd
Modified: 2017-07-25 11:52 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Core dump logged by Apache (3.49 MB, application/x-gzip)
2016-02-09 06:34 EST, Gerd
no flags Details
HTTP trace of core-dump (272.06 KB, application/zip)
2016-04-13 03:46 EDT, Gerd
no flags Details

  None (edit)
Description Gerd 2016-02-09 06:34:28 EST
Created attachment 1122388 [details]
Core dump logged by Apache

Description of problem:
With mod_security enabled, Apache HTTP core-dumps with error [core:notice] [pid 14657] AH00051: child pid 14658 exit signal Segmentation fault (11), possible coredump in /data/pickup

This only happens when accessing images within a PHP application. Regular content (CSS / JS) seems to be fine.

Version-Release number of selected component (if applicable):
- CentOS Linux release 7.2.1511 (Core) 
- Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations


How reproducible:
Enable mod_security as the module and then do a wget of an image.

Steps to Reproduce:
1.
2.
3.

Actual results:
Core dump - see attached files

Expected results:


Additional info:
Comment 2 Gerd 2016-02-09 06:47:13 EST
The only two work-arounds are to either disable the loading of mod_security or have the following rule to bypass it for images:

  # Temporary fix - we switch off images as Apache crashes serving images
  SecRule REQUEST_URI "@beginsWith /frontend/assets/files/" id:02001,phase:1,nolog,allow,ctl:ruleEngine=Off
Comment 3 Gerd 2016-02-11 01:42:55 EST
For completeness - version information:
[Wed Feb 10 07:53:55.176771 2016] [mpm_prefork:notice] [pid 48108] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Feb 10 07:53:55.176841 2016] [core:notice] [pid 48108] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Feb 10 07:59:25.733760 2016] [mpm_prefork:notice] [pid 48108] AH00170: caught SIGWINCH, shutting down gracefully
[Wed Feb 10 07:59:29.185432 2016] [:notice] [pid 48299] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Wed Feb 10 07:59:29.185556 2016] [:notice] [pid 48299] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Wed Feb 10 07:59:29.185564 2016] [:notice] [pid 48299] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Wed Feb 10 07:59:29.185567 2016] [:notice] [pid 48299] ModSecurity: LUA compiled version="Lua 5.1"
[Wed Feb 10 07:59:29.185569 2016] [:notice] [pid 48299] ModSecurity: LIBXML compiled version="2.9.1"
Comment 5 Jon Masters 2016-04-12 12:33:42 EDT
I've not seen this. Would it be possible to get a full backtrace of the crash? To do this, run the httpd directly:

1). Stop HTTPD (Apache).
2). Start under strace:
    # strace -fFvxxx -o httpd.txt /usr/sbin/httpd -D FOREGROUND
3). Reproduce the crash and send the httpd.txt file
Comment 7 Gerd 2016-04-13 03:46 EDT
Created attachment 1146731 [details]
HTTP trace of core-dump

@Jon - I have just added a trace - the dumps logged in error.log were:

[Wed Apr 13 09:44:10.665513 2016] [core:notice] [pid 32798] AH00052: child pid 32799 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665817 2016] [core:notice] [pid 32798] AH00052: child pid 32800 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665904 2016] [core:notice] [pid 32798] AH00052: child pid 32801 exit signal Segmentation fault (11)
[Wed Apr 13 09:45:48.775185 2016] [core:notice] [pid 32798] AH00052: child pid 32803 exit signal Segmentation fault (11)
Comment 8 John Feeney 2016-04-21 12:57:47 EDT
What arch does this fail on? The Hardware field says AArch64 but the comment has a reference to "Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux". If it fails on both, that would improve the significance of this bz but it is not very clear where it fails.
Comment 9 Gerd 2016-04-21 13:08:33 EDT
It fails on CentOS Linux release 7.2.1511 (Core)

Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Comment 10 John Feeney 2016-04-21 19:16:58 EDT
Okay, thanks.

So there is no AArch64 element here, right? I will modify the Hardware field to reflect this.
Comment 11 Gerd 2016-04-21 23:43:29 EDT
(In reply to John Feeney from comment #10)
> Okay, thanks.
> 
> So there is no AArch64 element here, right? I will modify the Hardware field
> to reflect this.

Yes, this is correct. I changed it to x86_64.

Note You need to log in before you can comment on or make changes to this bug.