| Author |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
 Posted: Fri 20 Feb '15 5:53 Post subject: Segmentation Fault on Custom 413 |
 |
|
First, I added the following lines to my .htaccess file:
| Code: | ErrorDocument 413 /413.php
# Limit Transfers from client 1MB
LimitRequestBody 1048576 |
The content of 413.php is:
| Code: | $sBody="The requested resource does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.";
$sHtm="<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>413 Request Entity Too Large</h1>
$sBody</body></html>";
echo $sHtm;
|
When I try to upload a 2.3MB image, the following setup works and 413.php is displayed.
Then, I modify my 413.php by adding just one line at the top:
| Code: | if(!defined('_HttpERR_')) define('_HttpERR_',413);
$sBody="The requested resource does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.";
$sHtm="<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>413 Request Entity Too Large</h1>
$sBody</body></html>";
echo $sHtm; |
I get a "Connection reset" notification instead of my custom 413.php and /var/log/apache2/error.log contains
| Code: |
[core:notice] [pid 1951] AH00051: child pid 24179 exit signal Segmentation fault (11), possible coredump in /etc/apache2 |
How do I resolve this?
Thank you.
PS: I am running Apache 2.4 with PHP 5.6 on Ubuntu 12.04 LTS |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Sat 21 Feb '15 9:59 Post subject: |
|
|
| Enable the PHP error log in your php.ini and see what causes PHP to crash. |
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Sun 22 Feb '15 3:06 Post subject: |
|
|
I do have log_errors=On and error_log=logFile both in php.ini and in the php code itself using the ini_set() function.
However, in this case there are no errors logged by PHP, jut the segmentation error in the Apache log. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 24 Feb '15 11:12 Post subject: |
|
|
| Do you have the core dump? |
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Wed 25 Feb '15 0:23 Post subject: |
|
|
No I don't. I've seen several forums explaining how to generate it. Many say I need to recompile apache to get the dump.
Would you be able to point the best resource explaining how to do this? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 26 Feb '15 19:27 Post subject: |
|
|
As far as I know you don't need to recompile apache.
Just configure the path like
| Code: | CoreDumpDirectory /tmp/mycoredump
|
mkdir -p /tmp/mycoredump
chmod the permission to 0777 for that folder.
restart apache.
However: For such reasons on windows most / many apacheloung user use PHP over fcgid. I use that on Linux,too. So PHP does not crash my apache  |
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Thu 05 Mar '15 18:10 Post subject: |
|
|
Sorry for the late reply.
Did the following:
- Added CoreDumpDirectory /tmp/apacheDump to apache2.conf
- mkdir -p /tmp/apacheDump
- chmod 777 /tmp/apacheDump
- Restarted apache
Reproduced the error.
In error.log, I have the following line:
| Code: | | AH00051: child pid 11245 exit signal Segmentation fault (11), possible coredump in /tmp/apacheDump |
But /tmp/apacheDump is empty |
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Thu 05 Mar '15 19:23 Post subject: |
|
|
Tried to follow the instructions in the following post:
http://sysadmin.carlusgg.com/?p=197
Installed apache2-dbg and php5-dbg
But still no dump ... |
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Thu 05 Mar '15 19:29 Post subject: |
|
|
Also tried the following post:
https://stackoverflow.com/questions/7745578/notice-child-pid-xxxx-exit-signal-segmentation-fault-11-in-apache-error-lo
| Code: |
# ps aux | egrep 'apache2|PID'
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 16651 0.0 0.7 152164 18356 ? Ss 11:51 0:00 /usr/sbin/apache2 -k start
www-data 16659 0.0 0.0 24260 2536 ? S 11:51 0:00 /usr/sbin/apache2 -k start
www-data 16676 0.0 0.2 152268 6492 ? S 11:51 0:00 /usr/sbin/apache2 -k start
www-data 16677 0.0 0.2 152268 6492 ? S 11:51 0:00 /usr/sbin/apache2 -k start
www-data 16678 0.0 0.2 152196 5364 ? S 11:51 0:00 /usr/sbin/apache2 -k start
www-data 16679 0.0 0.2 152196 5364 ? S 11:51 0:00 /usr/sbin/apache2 -k start
www-data 17380 0.0 0.2 152196 5364 ? S 11:52 0:00 /usr/sbin/apache2 -k start
root 26349 0.0 0.0 4384 748 pts/2 S+ 12:02 0:00 egrep apache2|PID |
| Code: | # gdb
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
(gdb) attach 16651
Attaching to process 16651
|
Reproduced the error and ran:
| Code: | (gdb) backtrace full
#0 0x00b4d416 in __kernel_vsyscall ()
No symbol table info available.
#1 0x0022b8e1 in select () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
#2 0x00136cce in apr_sleep () from /usr/lib/i386-linux-gnu/libapr-1.so.0
No symbol table info available.
#3 0x007f37aa in ap_wait_or_timeout (status=0xbfed8548, exitcode=0xbfed854c, ret=0xbfed8538, p=0xb7797018,
s=0xb776fbb0) at mpm_common.c:199
rv = <optimized out>
#4 0x00c06a02 in prefork_run (_pconf=0xb7797018, plog=0xb776b018, s=0xb776fbb0) at prefork.c:1006
status = 11
pid = {pid = -1, in = 0x12a01e, out = 0x22293008, err = 0x83f958}
child_slot = <optimized out>
exitwhy = 6
processed_status = <optimized out>
index = <optimized out>
remaining_children_to_start = 0
rv = <optimized out>
#5 0x007f2bbe in ap_run_mpm (pconf=0xb7797018, plog=0xb776b018, s=0xb776fbb0) at mpm_common.c:96
pHook = <optimized out>
n = <optimized out>
rv = -1
#6 0x007eb57d in main (argc=3, argv=0xbfed86f4) at main.c:777
c = 0 '\000'
showcompile = 0
showdirectives = 0
confname = 0x8357d8 "apache2.conf"
def_server_root = 0x8357cb "/etc/apache2"
temp_error_log = 0x0
error = <optimized out># gdb
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>.
(gdb) attach 16651
Attaching to process 16651
process = 0xb7797018
pconf = 0xb7797018
plog = 0xb776b018
---Type <return> to continue, or q <return> to quit---
ptemp = 0xb7767018
pcommands = 0xb7771018
opt = 0xb77710b8
rv = <optimized out>
mod = <optimized out>
opt_arg = 0x835430 "UWVS\350\316c\373\377\201\303\177\335\001"
signal_server = <optimized out>
|
What is the best way to make sense of this?
Thank you. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 16 Mar '15 12:24 Post subject: |
|
|
For having the correct data, you need to reduce apache to a single process
| Code: | StartServers 1
MinSpareServers 1
MaxSpareServers 1 |
|
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
gmoniker
Joined: 22 Mar 2015
Posts: 3
Location: Netherlands
|
| Posted: Sun 22 Mar '15 23:11 Post subject: Coredumps Ubuntu and segfault PHP |
|
|
Hello Balia,
Coredumps on Ubuntu 12.04 can get intercepted by the apport program. You can see if something like apport is set by doing:
| Code: | | cat /proc/sys/kernel/core_pattern |
If there is something like this:
| Code: | | |/usr/share/apport/apport %p %s %c %P |
Then the dumps will be stored in /var/crash in apport format. You can unpack those with
You can also use and check these:
| Code: | kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2 |
|
|
| Back to top |
|
gmoniker
Joined: 22 Mar 2015
Posts: 3
Location: Netherlands
|
| Posted: Sun 22 Mar '15 23:47 Post subject: Segfault on 413 |
|
|
It just so happens that I have been looking into the Apache handler for PHP after having some segfaults in a different situation, see https://bugs.php.net/bug.php?id=68486 for that.
Basically what happens, is the PHP handler in the case of 413 errors that happened when you called a PHP script tries to reuse the execution engine that was started for that first script. The reasoning will have been that it was needed to avoid throwing a 413 error all over again and ending up with a precooked Apache error message. And maybe this was true sometime in the past.
But the script that you install as the ErrorDocument for 413 is then starting in an improper environment. Adding symbols just about succeeds and calling echo, but anything that introspects the symbol table like your call to defined() will crash the execution environment.
You will see that it does function if you call some static html and cause a 413.
The patch that is available at the bug report I mentioned will solve the segfault for this case also.
However there still is another thing which makes Entity too large in Apache 2.4 very strange if PHP is active. If you call a php script with too large a request body for example, it will show the ErrorDocument whatever it is, but then goes on to happily run your PHP script. Even though the request body is unset, this seems unwanted behaviour to me and it doesn't happen if you call a static html file or in any of those cases with Apache 2.2. Nor does it happen with a header that is too long.
So, in short with Apache 2.4 and PHP you cannot depend on a LimitRequestBody to stop PHP from running, and you can experience segfaults when you call a PHP script and set a PHP script as 413 handler (In Apache 2.2 as well). |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Fri 17 Apr '15 18:40 Post subject: |
|
|
Thank you for all the responses and very sorry for the delay in processing them.
[James Blond]
I stopped apache2 : service apache2 stop
| Code: | # /usr/sbin/apache2 -X
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00543: apache2: bad user name ${APACHE_RUN_USER} |
Apache fails to start
The same happens if I remove -X BTW
How do I start apache with the -X option?
[gmoniker]
| Code: | # cat /etc/default/apport
# set this to 0 to disable apport, or to 1 to enable it
# you can temporarily override this with
# sudo service apport start force_start=1
enabled=1
# cat /proc/sys/kernell/core_pattern
cat: /proc/sys/kernell/core_pattern: No such file or directory |
core_pattern is missing
I went to http://wiki.ubuntu.com/Apport for further instructions.
Added a hash symbol # in the beginning of the following line:
'problem_types': ['Bug', 'Package'],
| Code: | # ls /var/crash
total 0
|
Tried to reproduce the crash, but still no dump.
What's next?
https://bugs.php.net/bug.php?id=68486
I get the message: "This bug report is marked as private."
[Jan-E]
https://bugs.php.net/patch-display.php?bug_id=68486&patch=sapi_apache2.gmoniker.patch&revision=latest
ERROR: You have no access to bug #68486
Went to: http://www.apachelounge.com/viewtopic.php?t=6359
Not sure I fully understand what the builds are for... |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
balia
Joined: 19 Jan 2015
Posts: 12
|
| Posted: Tue 21 Jul '15 6:04 Post subject: |
|
|
Sorry; this issue on the back burner for a while.
Looking at it again, I updated PHP from v5.6.6 to v5.6.10.
This did not resolve anything: the segmentation fault didn't disappear.
I resolved the issue as follows:
Reading through the Apache documentation gave me some clues.
http://httpd.apache.org/docs/2.2/custom-error.html
Unlike 404, 413.php was not a replacement script for the original script (in the case of a 404 error, there is obviously no original script).
When 413.php ends, execution doesn't stop there.
The original uploading script is called again (when no segmentation fault occurs).
$_POST and $_FILE are empty, and there is no obvious ways for the original script to know that an error occurred.
In addition nothing in the environment variables points to an error.
413.php is just provided as a replacement for the built-in 413 error message.
It allows to echo a different 413 error message at the top of the HTML page, but not much more.
Any non "elementary" code in 413.php generates a segmentation fault.
For example, 413.php doesn't accept any function call.
Calling any function such as define() or any text function results in a segmentation fault.
Only echos and basic assignment operators seem acceptable.
Fortunately, global variables can be defined in 413.php. These global variables can be picked up by the original uploading script.
Another important consideration, is that 413.php must echo something before exiting.
If there are no echos and 413.php ends with exit(); or exit(integer); then a segmentation fault will occur.
I chose to end 413.php with exit(' ');
The blank space seems so far to be a good compromise to prevent the browser from getting in quirk mode.
Obviously, segmentation faults are not the best way to communicate with developers and maybe this can be addressed in the future by the Apache team.
It is not clear why you would restrict non "elementary" PHP code in 413.php and this is not explained in the documentation.
On a last note, for very large files, Firefox keeps trying to upload the file and never returns a 413 error.
See https://github.com/freedomofpress/securedrop/issues/992 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 22 Jul '15 11:56 Post subject: |
|
|
| balia wrote: |
[James Blond]
I stopped apache2 : service apache2 stop
| Code: | # /usr/sbin/apache2 -X
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[core:warn] [pid 12838] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00543: apache2: bad user name ${APACHE_RUN_USER} |
|
You need to edit /etc/apache2/envvars
e.g.
| Code: |
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
|
the same for the other variables. |
|
| Back to top |
|
