| 1 |
Hi! |
| 2 |
|
| 3 |
On Fri, Mar 06, 2009 at 07:28:17PM +0200, pageexec@××××××××.hu wrote: |
| 4 |
> it's always the latter ;), i need to make sure it's a PaX problem. |
| 5 |
|
| 6 |
Ok. With this kernel, using pax-linux-2.6.28.7-test19.patch, I was able to |
| 7 |
reproduce issues with apache/php/{ioncube,zendoptimizer} and perl module |
| 8 |
Math::Pari. Amarok doesn't crash. |
| 9 |
|
| 10 |
> i mentioned them quite a few times on the list and bugzilla and the grsec forums, |
| 11 |
> here it is again. first, the coredump: you enable coredumps in your shell |
| 12 |
|
| 13 |
thanks for instructions, here are results: |
| 14 |
|
| 15 |
|
| 16 |
I've tried to recompile perl, apache and php with "debug" USE-flag enabled, |
| 17 |
but looks like ioncube&zendoptimizer don't support php built this way. |
| 18 |
So, only perl & apache was built with "debug" flag. |
| 19 |
|
| 20 |
When I run apache for the first time after reboot - without strace/core, |
| 21 |
just to see is it crash - I got this in kernel log: |
| 22 |
|
| 23 |
2009-03-06_20:48:56.60108 kern.info: apache2[4621]: segfault at |
| 24 |
4d554ed0 ip 4d541399 sp 594130d0 error 7 in ld-2.6.1.so[4d53a000+1a000] |
| 25 |
|
| 26 |
I must note it looks very similar to errors I got previously with this |
| 27 |
issue - segfault always was reported like "error 7 in ld-2.6.1.so". |
| 28 |
|
| 29 |
But all next runs (under strace and with core dumps enabled) doesn't |
| 30 |
produce any error messages in kernel log, which is quite unusual. |
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
# strace -f apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL &>apache2.strace |
| 35 |
# gdb |
| 36 |
(gdb) core /core |
| 37 |
(no debugging symbols found) |
| 38 |
Core was generated by `apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL'. |
| 39 |
Program terminated with signal 11, Segmentation fault. |
| 40 |
[New process 11835] |
| 41 |
#0 0x4ce14399 in ?? () |
| 42 |
(gdb) bt |
| 43 |
#0 0x4ce14399 in ?? () |
| 44 |
#1 0x4ce27000 in ?? () |
| 45 |
#2 0x00000ed4 in ?? () |
| 46 |
#3 0x00000003 in ?? () |
| 47 |
#4 0x00000003 in ?? () |
| 48 |
#5 0x00000004 in ?? () |
| 49 |
#6 0x00000000 in ?? () |
| 50 |
(gdb) x/8i $pc |
| 51 |
0x4ce14399: Cannot access memory at address 0x4ce14399 |
| 52 |
(gdb) x/8x $sp |
| 53 |
0x5a681770: 0x4ce27000 0x00000ed4 0x00000003 0x00000003 |
| 54 |
0x5a681780: 0x00000004 0x00000000 0x00000001 0x4cb5a170 |
| 55 |
(gdb) info reg |
| 56 |
eax 0xffffffff -1 |
| 57 |
ecx 0x4ce27fc4 1289912260 |
| 58 |
edx 0xd 13 |
| 59 |
ebx 0x4ce27fc4 1289912260 |
| 60 |
esp 0x5a681770 0x5a681770 |
| 61 |
ebp 0x5a681890 0x5a681890 |
| 62 |
esi 0x4ce27000 1289908224 |
| 63 |
edi 0xed4 3796 |
| 64 |
eip 0x4ce14399 0x4ce14399 |
| 65 |
eflags 0x10286 [ PF SF IF RF ] |
| 66 |
cs 0x73 115 |
| 67 |
ss 0x7b 123 |
| 68 |
ds 0x7b 123 |
| 69 |
es 0x7b 123 |
| 70 |
fs 0x0 0 |
| 71 |
gs 0x33 51 |
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
# vi /etc/php/apache2-php5/php.ini ### disable ioncube |
| 76 |
# strace -f apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL &>apache2.strace_zend |
| 77 |
# gdb /usr/sbin/apache2 /core |
| 78 |
This GDB was configured as "i686-pc-linux-gnu"... |
| 79 |
(no debugging symbols found) |
| 80 |
|
| 81 |
warning: Can't read pathname for load map: Input/output error. |
| 82 |
(no debugging symbols found) |
| 83 |
Loaded symbols for /usr/sbin/apache2 |
| 84 |
... |
| 85 |
Reading symbols from /usr/local/Zend/lib/ZendExtensionManager.so...(no debugging symbols found)...done. |
| 86 |
Loaded symbols for /usr/local/Zend/lib/ZendExtensionManager.so |
| 87 |
|
| 88 |
(no debugging symbols found) |
| 89 |
Core was generated by `apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL'. |
| 90 |
Program terminated with signal 11, Segmentation fault. |
| 91 |
[New process 31217] |
| 92 |
#0 0x51015399 in ?? () from /lib/ld-linux.so.2 |
| 93 |
(gdb) bt |
| 94 |
#0 0x51015399 in ?? () from /lib/ld-linux.so.2 |
| 95 |
#1 0x51028000 in ?? () |
| 96 |
#2 0x00000ed4 in ?? () |
| 97 |
#3 0x00000003 in ?? () |
| 98 |
#4 0x5d5cf82c in ?? () |
| 99 |
#5 0x00000004 in ?? () |
| 100 |
#6 0x00000000 in ?? () |
| 101 |
(gdb) x/8i $pc |
| 102 |
0x51015399 <free@plt+27445>: orl $0x7,-0xf4(%ebx) |
| 103 |
0x510153a0 <free@plt+27452>: mov $0x1,%ecx |
| 104 |
0x510153a5 <free@plt+27457>: mov %ecx,0x8(%esp) |
| 105 |
0x510153a9 <free@plt+27461>: mov %edi,0x4(%esp) |
| 106 |
0x510153ad <free@plt+27465>: mov %esi,(%esp) |
| 107 |
0x510153b0 <free@plt+27468>: call 0x51022e80 |
| 108 |
0x510153b5 <free@plt+27473>: jmp 0x5101505c <free@plt+26616> |
| 109 |
0x510153ba <free@plt+27478>: xor %ecx,%ecx |
| 110 |
(gdb) x/8x $sp |
| 111 |
0x5d5cf800: 0x51028000 0x00000ed4 0x00000003 0x5d5cf82c |
| 112 |
0x5d5cf810: 0x00000004 0x00000000 0x00000001 0x50d5b170 |
| 113 |
(gdb) info reg |
| 114 |
eax 0xffffffff -1 |
| 115 |
ecx 0x51028fc4 1359122372 |
| 116 |
edx 0xd 13 |
| 117 |
ebx 0x51028fc4 1359122372 |
| 118 |
esp 0x5d5cf800 0x5d5cf800 |
| 119 |
ebp 0x5d5cf920 0x5d5cf920 |
| 120 |
esi 0x51028000 1359118336 |
| 121 |
edi 0xed4 3796 |
| 122 |
eip 0x51015399 0x51015399 <free@plt+27445> |
| 123 |
eflags 0x10286 [ PF SF IF RF ] |
| 124 |
cs 0x73 115 |
| 125 |
ss 0x7b 123 |
| 126 |
ds 0x7b 123 |
| 127 |
es 0x7b 123 |
| 128 |
fs 0x0 0 |
| 129 |
gs 0x33 51 |
| 130 |
|
| 131 |
|
| 132 |
|
| 133 |
# ACCEPT_KEYWORDS=~x86 emerge -a math-pari |
| 134 |
|
| 135 |
if I run perl without strace - I got error message in kernel log: |
| 136 |
|
| 137 |
# perl -e 'use Math::Pari;' |
| 138 |
Segmentation fault (core dumped) |
| 139 |
|
| 140 |
2009-03-06_21:31:02.23339 kern.info: perl[17676]: segfault at 4ebd7ed0 |
| 141 |
ip 4ebc4399 sp 58019490 error 7 in ld-2.6.1.so[4ebbd000+1a000] |
| 142 |
|
| 143 |
if I run perl with strace - there will be no messages in kernel log |
| 144 |
|
| 145 |
# strace -f perl -e 'use Math::Pari;' &>perl.strace |
| 146 |
# gdb /usr/bin/perl core |
| 147 |
This GDB was configured as "i686-pc-linux-gnu"... |
| 148 |
(no debugging symbols found) |
| 149 |
|
| 150 |
warning: Can't read pathname for load map: Input/output error. |
| 151 |
(no debugging symbols found) |
| 152 |
Loaded symbols for /usr/bin/perl |
| 153 |
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. |
| 154 |
Loaded symbols for /lib/libpthread.so.0 |
| 155 |
Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. |
| 156 |
Loaded symbols for /lib/libnsl.so.1 |
| 157 |
Reading symbols from /lib/libdl.so.2... |
| 158 |
(no debugging symbols found)...done. |
| 159 |
Loaded symbols for /lib/libdl.so.2 |
| 160 |
Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. |
| 161 |
Loaded symbols for /lib/libm.so.6 |
| 162 |
Reading symbols from /lib/libcrypt.so.1... |
| 163 |
(no debugging symbols found)...done. |
| 164 |
Loaded symbols for /lib/libcrypt.so.1 |
| 165 |
Reading symbols from /lib/libutil.so.1...(no debugging symbols found)...done. |
| 166 |
Loaded symbols for /lib/libutil.so.1 |
| 167 |
Reading symbols from /lib/libc.so.6... |
| 168 |
(no debugging symbols found)...done. |
| 169 |
Loaded symbols for /lib/libc.so.6 |
| 170 |
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. |
| 171 |
Loaded symbols for /lib/ld-linux.so.2 |
| 172 |
Reading symbols from /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Math/Pari/Pari.so... |
| 173 |
(no debugging symbols found)...done. |
| 174 |
Loaded symbols for /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Math/Pari/Pari.so |
| 175 |
(no debugging symbols found) |
| 176 |
Core was generated by `perl -e use Math::Pari;'. |
| 177 |
Program terminated with signal 11, Segmentation fault. |
| 178 |
[New process 30393] |
| 179 |
#0 0x4fa55399 in ?? () from /lib/ld-linux.so.2 |
| 180 |
(gdb) bt |
| 181 |
#0 0x4fa55399 in ?? () from /lib/ld-linux.so.2 |
| 182 |
#1 0x4fa68000 in ?? () |
| 183 |
#2 0x00000ed4 in ?? () |
| 184 |
#3 0x00000003 in ?? () |
| 185 |
#4 0x17364a75 in ?? () from /usr/bin/perl |
| 186 |
#5 0x00000145 in ?? () |
| 187 |
#6 0x17426824 in ?? () |
| 188 |
#7 0x5a96a6a8 in ?? () |
| 189 |
#8 0x17301567 in ?? () from /usr/bin/perl |
| 190 |
#9 0x17426824 in ?? () |
| 191 |
#10 0x00000050 in ?? () |
| 192 |
#11 0x173040d8 in Perl_av_undef () from /usr/bin/perl |
| 193 |
#12 0x4fa55f4e in ?? () from /lib/ld-linux.so.2 |
| 194 |
#13 0x5a96a79c in ?? () |
| 195 |
#14 0x17443df8 in ?? () |
| 196 |
#15 0x00000000 in ?? () |
| 197 |
(gdb) x/8i $pc |
| 198 |
0x4fa55399 <free@plt+27445>: orl $0x7,-0xf4(%ebx) |
| 199 |
0x4fa553a0 <free@plt+27452>: mov $0x1,%ecx |
| 200 |
0x4fa553a5 <free@plt+27457>: mov %ecx,0x8(%esp) |
| 201 |
0x4fa553a9 <free@plt+27461>: mov %edi,0x4(%esp) |
| 202 |
0x4fa553ad <free@plt+27465>: mov %esi,(%esp) |
| 203 |
0x4fa553b0 <free@plt+27468>: call 0x4fa62e80 |
| 204 |
0x4fa553b5 <free@plt+27473>: jmp 0x4fa5505c <free@plt+26616> |
| 205 |
0x4fa553ba <free@plt+27478>: xor %ecx,%ecx |
| 206 |
(gdb) x/8x $sp |
| 207 |
0x5a96a600: 0x4fa68000 0x00000ed4 0x00000003 0x17364a75 |
| 208 |
0x5a96a610: 0x00000145 0x17426824 0x5a96a6a8 0x17301567 |
| 209 |
(gdb) info reg |
| 210 |
eax 0xffffffff -1 |
| 211 |
ecx 0x4fa68fc4 1336315844 |
| 212 |
edx 0xd 13 |
| 213 |
ebx 0x4fa68fc4 1336315844 |
| 214 |
esp 0x5a96a600 0x5a96a600 |
| 215 |
ebp 0x5a96a720 0x5a96a720 |
| 216 |
esi 0x4fa68000 1336311808 |
| 217 |
edi 0xed4 3796 |
| 218 |
eip 0x4fa55399 0x4fa55399 <free@plt+27445> |
| 219 |
eflags 0x10286 [ PF SF IF RF ] |
| 220 |
cs 0x73 115 |
| 221 |
ss 0x7b 123 |
| 222 |
ds 0x7b 123 |
| 223 |
es 0x7b 123 |
| 224 |
fs 0x0 0 |
| 225 |
gs 0x33 51 |
| 226 |
|
| 227 |
|
| 228 |
|
| 229 |
> on a second thought, i'd need the strace output regardless of the gdb analysis, |
| 230 |
> just to see how text relocations went as that's where the problem is probably. |
| 231 |
|
| 232 |
http://powerman.name/tmp/apache2.strace |
| 233 |
http://powerman.name/tmp/apache2.strace_zend |
| 234 |
http://powerman.name/tmp/perl.strace |
| 235 |
|
| 236 |
-- |
| 237 |
WBR, Alex. |
Archives