Bug 1305843 - Apache HTTPD core-dumps with mod_security enabled
Apache HTTPD core-dumps with mod_security enabled
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_security (Show other bugs)
7.2
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Marek Tamaskovic
BaseOS QE - Apps
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 06:34 EST by Gerd
Modified: 2017-08-30 07:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-30 07:58:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Core dump logged by Apache (3.49 MB, application/x-gzip)
2016-02-09 06:34 EST, Gerd
no flags Details
HTTP trace of core-dump (272.06 KB, application/zip)
2016-04-13 03:46 EDT, Gerd
no flags Details

  None (edit)
Description Gerd 2016-02-09 06:34:28 EST
Created attachment 1122388 [details]
Core dump logged by Apache

Description of problem:
With mod_security enabled, Apache HTTP core-dumps with error [core:notice] [pid 14657] AH00051: child pid 14658 exit signal Segmentation fault (11), possible coredump in /data/pickup

This only happens when accessing images within a PHP application. Regular content (CSS / JS) seems to be fine.

Version-Release number of selected component (if applicable):
- CentOS Linux release 7.2.1511 (Core) 
- Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations


How reproducible:
Enable mod_security as the module and then do a wget of an image.

Steps to Reproduce:
1.
2.
3.

Actual results:
Core dump - see attached files

Expected results:


Additional info:
Comment 2 Gerd 2016-02-09 06:47:13 EST
The only two work-arounds are to either disable the loading of mod_security or have the following rule to bypass it for images:

  # Temporary fix - we switch off images as Apache crashes serving images
  SecRule REQUEST_URI "@beginsWith /frontend/assets/files/" id:02001,phase:1,nolog,allow,ctl:ruleEngine=Off
Comment 3 Gerd 2016-02-11 01:42:55 EST
For completeness - version information:
[Wed Feb 10 07:53:55.176771 2016] [mpm_prefork:notice] [pid 48108] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Feb 10 07:53:55.176841 2016] [core:notice] [pid 48108] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Feb 10 07:59:25.733760 2016] [mpm_prefork:notice] [pid 48108] AH00170: caught SIGWINCH, shutting down gracefully
[Wed Feb 10 07:59:29.185432 2016] [:notice] [pid 48299] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Wed Feb 10 07:59:29.185556 2016] [:notice] [pid 48299] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Wed Feb 10 07:59:29.185564 2016] [:notice] [pid 48299] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Wed Feb 10 07:59:29.185567 2016] [:notice] [pid 48299] ModSecurity: LUA compiled version="Lua 5.1"
[Wed Feb 10 07:59:29.185569 2016] [:notice] [pid 48299] ModSecurity: LIBXML compiled version="2.9.1"
Comment 5 Jon Masters 2016-04-12 12:33:42 EDT
I've not seen this. Would it be possible to get a full backtrace of the crash? To do this, run the httpd directly:

1). Stop HTTPD (Apache).
2). Start under strace:
    # strace -fFvxxx -o httpd.txt /usr/sbin/httpd -D FOREGROUND
3). Reproduce the crash and send the httpd.txt file
Comment 7 Gerd 2016-04-13 03:46 EDT
Created attachment 1146731 [details]
HTTP trace of core-dump

@Jon - I have just added a trace - the dumps logged in error.log were:

[Wed Apr 13 09:44:10.665513 2016] [core:notice] [pid 32798] AH00052: child pid 32799 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665817 2016] [core:notice] [pid 32798] AH00052: child pid 32800 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665904 2016] [core:notice] [pid 32798] AH00052: child pid 32801 exit signal Segmentation fault (11)
[Wed Apr 13 09:45:48.775185 2016] [core:notice] [pid 32798] AH00052: child pid 32803 exit signal Segmentation fault (11)
Comment 8 John Feeney 2016-04-21 12:57:47 EDT
What arch does this fail on? The Hardware field says AArch64 but the comment has a reference to "Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux". If it fails on both, that would improve the significance of this bz but it is not very clear where it fails.
Comment 9 Gerd 2016-04-21 13:08:33 EDT
It fails on CentOS Linux release 7.2.1511 (Core)

Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Comment 10 John Feeney 2016-04-21 19:16:58 EDT
Okay, thanks.

So there is no AArch64 element here, right? I will modify the Hardware field to reflect this.
Comment 11 Gerd 2016-04-21 23:43:29 EDT
(In reply to John Feeney from comment #10)
> Okay, thanks.
> 
> So there is no AArch64 element here, right? I will modify the Hardware field
> to reflect this.

Yes, this is correct. I changed it to x86_64.
Comment 12 Marek Tamaskovic 2017-08-30 07:46:26 EDT
I am trying to reproduce that error. I already installed all that packages you wrote and tried download image from server without php application and everything works. Can you specify which php application are you using or any more details?
Comment 13 Tech Suport @bidorbuy 2017-08-30 07:53:38 EDT
(In reply to Marek Tamaskovic from comment #12)
> I am trying to reproduce that error. I already installed all that packages
> you wrote and tried download image from server without php application and
> everything works. Can you specify which php application are you using or any
> more details?

Hi there,

I am sorry to say that we are not running this stack any more and moved on from Apache to NGINX because of the issue - this was already done last year.

I gave up monitoring this bug from May 2016 and I am a bit surprised that it took almost 14 months for someone to review the bug-submission.

I think you need to close the bug as it will be impossible for me to setup an environment replicating it.

Note You need to log in before you can comment on or make changes to this bug.