[Pkg-freeipa-devel] Bug#915642: AuthBasicProvider PAM crashes apache

Bernhard Übelacker bernhardu at mailbox.org
Mon Dec 10 17:06:16 GMT 2018 

Dear Maintainer,
I just tried to reproduce and found it crash on service startup when
using the given /etc/apache2/sites-enabled/default.conf.

It looks like here the apache2 process wants to fork and calls the
fork_handlers. Unfortunately one of them belongs to an unloaded module.
Therefore we end up trying to execute unmapped memory.

>From the similar offset I would expect that the first fork_handler belong
to function deinit from libcap-ng.so.0.
The first one 0x7f50c8e0e660 points to the current location of libcap-ng.so.0.
But the second 0x7f50c8e12660 looks like pointing to an unloaded location of libcap-ng.so.0.

This situation looks quite similar to what I tried to collect in bug #914565.
And now that I looked up the bugs for libcap-ng0 this one seems related: #904808.

Kind regards,
Bernhard


#914565 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914565
#904808 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904808


(gdb) bt
#0  0x00007f50c8e12660 in ?? ()
#1  0x00007f50c921470e in __libc_fork () at ../sysdeps/nptl/fork.c:204
#2  0x00007f50c9357875 in apr_proc_detach (daemonize=daemonize at entry=1) at ./threadproc/unix/procsup.c:31
#3  0x00007f50c8b93fc5 in event_pre_config (pconf=0x7f50c90b8028, plog=0x7f50c908c028, ptemp=<optimized out>) at event.c:3416
#4  0x000055e968fd81be in ap_run_pre_config (pconf=0x7f50c90b8028, plog=0x7f50c908c028, ptemp=0x7f50c9090028) at config.c:89
#5  0x000055e968fb3e5f in main (argc=<optimized out>, argv=<optimized out>) at main.c:775

(gdb) up
#2  0x00007f50c9357875 in apr_proc_detach (daemonize=daemonize at entry=1) at ./threadproc/unix/procsup.c:31
31              if ((x = fork()) > 0) {

(gdb) print *__fork_handlers
$1 = {next = 0x7f50c9309998 <fork_handler_pool+56>, prepare_handler = 0x0, parent_handler = 0x0, child_handler = 0x7f50c8e0e660 <deinit>, dso_handle = 0x7f50c93282a0, refcntr = 2, need_signal = 0}
(gdb) print *__fork_handlers->next
$2 = {next = 0x7f50c9309968 <fork_handler_pool+8>, prepare_handler = 0x0, parent_handler = 0x0, child_handler = 0x7f50c8e12660, dso_handle = 0x7f50c93282a0, refcntr = 2, need_signal = 0}
(gdb) print *__fork_handlers->next->next
$3 = {next = 0x0, prepare_handler = 0x0, parent_handler = 0x0, child_handler = 0x7f50c93133d0 <__reclaim_stacks>, dso_handle = 0x0, refcntr = 1, need_signal = 0}

(gdb) info share
>From                To                  Syms Read   Shared Object Library
...
0x00007f50c8e0e560  0x00007f50c8e10419  Yes         /lib/x86_64-linux-gnu/libcap-ng.so.0
...

More information about the Pkg-freeipa-devel mailing list