1305843 – Apache HTTPD core-dumps with mod_security enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1305843 - Apache HTTPD core-dumps with mod_security enabled

Summary: Apache HTTPD core-dumps with mod_security enabled

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_security
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Marek Tamaskovic
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-09 11:34 UTC by Gerd
Modified:	2017-08-30 11:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-30 11:58:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Core dump logged by Apache (3.49 MB, application/x-gzip) 2016-02-09 11:34 UTC, Gerd	no flags	Details
HTTP trace of core-dump (272.06 KB, application/zip) 2016-04-13 07:46 UTC, Gerd	no flags	Details
View All

Description Gerd 2016-02-09 11:34:28 UTC

Created attachment 1122388 [details]
Core dump logged by Apache

Description of problem:
With mod_security enabled, Apache HTTP core-dumps with error [core:notice] [pid 14657] AH00051: child pid 14658 exit signal Segmentation fault (11), possible coredump in /data/pickup

This only happens when accessing images within a PHP application. Regular content (CSS / JS) seems to be fine.

Version-Release number of selected component (if applicable):
- CentOS Linux release 7.2.1511 (Core) 
- Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations


How reproducible:
Enable mod_security as the module and then do a wget of an image.

Steps to Reproduce:
1.
2.
3.

Actual results:
Core dump - see attached files

Expected results:


Additional info:

Comment 2 Gerd 2016-02-09 11:47:13 UTC

The only two work-arounds are to either disable the loading of mod_security or have the following rule to bypass it for images:

  # Temporary fix - we switch off images as Apache crashes serving images
  SecRule REQUEST_URI "@beginsWith /frontend/assets/files/" id:02001,phase:1,nolog,allow,ctl:ruleEngine=Off

Comment 3 Gerd 2016-02-11 06:42:55 UTC

For completeness - version information:
[Wed Feb 10 07:53:55.176771 2016] [mpm_prefork:notice] [pid 48108] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Feb 10 07:53:55.176841 2016] [core:notice] [pid 48108] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Feb 10 07:59:25.733760 2016] [mpm_prefork:notice] [pid 48108] AH00170: caught SIGWINCH, shutting down gracefully
[Wed Feb 10 07:59:29.185432 2016] [:notice] [pid 48299] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Wed Feb 10 07:59:29.185556 2016] [:notice] [pid 48299] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Wed Feb 10 07:59:29.185564 2016] [:notice] [pid 48299] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Wed Feb 10 07:59:29.185567 2016] [:notice] [pid 48299] ModSecurity: LUA compiled version="Lua 5.1"
[Wed Feb 10 07:59:29.185569 2016] [:notice] [pid 48299] ModSecurity: LIBXML compiled version="2.9.1"

Comment 5 Jon Masters 2016-04-12 16:33:42 UTC

I've not seen this. Would it be possible to get a full backtrace of the crash? To do this, run the httpd directly:

1). Stop HTTPD (Apache).
2). Start under strace:
    # strace -fFvxxx -o httpd.txt /usr/sbin/httpd -D FOREGROUND
3). Reproduce the crash and send the httpd.txt file

Comment 7 Gerd 2016-04-13 07:46:50 UTC

Created attachment 1146731 [details]
HTTP trace of core-dump

@Jon - I have just added a trace - the dumps logged in error.log were:

[Wed Apr 13 09:44:10.665513 2016] [core:notice] [pid 32798] AH00052: child pid 32799 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665817 2016] [core:notice] [pid 32798] AH00052: child pid 32800 exit signal Segmentation fault (11)
[Wed Apr 13 09:44:10.665904 2016] [core:notice] [pid 32798] AH00052: child pid 32801 exit signal Segmentation fault (11)
[Wed Apr 13 09:45:48.775185 2016] [core:notice] [pid 32798] AH00052: child pid 32803 exit signal Segmentation fault (11)

Comment 8 John Feeney 2016-04-21 16:57:47 UTC

What arch does this fail on? The Hardware field says AArch64 but the comment has a reference to "Linux 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux". If it fails on both, that would improve the significance of this bz but it is not very clear where it fails.

Comment 9 Gerd 2016-04-21 17:08:33 UTC

It fails on CentOS Linux release 7.2.1511 (Core)

Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Comment 10 John Feeney 2016-04-21 23:16:58 UTC

Okay, thanks.

So there is no AArch64 element here, right? I will modify the Hardware field to reflect this.

Comment 11 Gerd 2016-04-22 03:43:29 UTC

(In reply to John Feeney from comment #10)
> Okay, thanks.
> 
> So there is no AArch64 element here, right? I will modify the Hardware field
> to reflect this.

Yes, this is correct. I changed it to x86_64.

Comment 12 Marek Tamaskovic 2017-08-30 11:46:26 UTC

I am trying to reproduce that error. I already installed all that packages you wrote and tried download image from server without php application and everything works. Can you specify which php application are you using or any more details?

Comment 13 Tech Suport @bidorbuy 2017-08-30 11:53:38 UTC

(In reply to Marek Tamaskovic from comment #12)
> I am trying to reproduce that error. I already installed all that packages
> you wrote and tried download image from server without php application and
> everything works. Can you specify which php application are you using or any
> more details?

Hi there,

I am sorry to say that we are not running this stack any more and moved on from Apache to NGINX because of the issue - this was already done last year.

I gave up monitoring this bug from May 2016 and I am a bit surprised that it took almost 14 months for someone to review the bug-submission.

I think you need to close the bug as it will be impossible for me to setup an environment replicating it.

Note You need to log in before you can comment on or make changes to this bug.