module segmentation fault with long URLs

Description

When attempting to access a long (1154 character) URL the Apache httpd child processes segfault. The Apache log contains lines like

[Wed Mar 28 18:32:39 2012] [notice] child pid 29527 exit signal Segmentation fault (11), possible coredump in /tmp/cores

This happens even when the URL resource is not being protected using the module and even if no content served by the SP is protected. It is only necessary to have the module loaded, that is for the Apache configuration to contain

LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so

Removing the LoadModule command from the configuration fixes the issue.

The long URL being access is provided in an attachment as is the output of using gdb to examine the core file.

The gdb command used was

thread apply all bt full

Environment

  1. uname -a
    Linux oregano.phys.uwm.edu 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux

  1. dpkg --list | grep shib
    ii libapache2-mod-shib2 2.4.3+dfsg-2~bpo60+1 Federated web single sign-on system (Apache module)
    ii libshibsp-dev 2.4.3+dfsg-2~bpo60+1 Federated web single sign-on system (development)
    ii libshibsp5 2.4.3+dfsg-2~bpo60+1 Federated web single sign-on system (runtime)
    ii shibboleth-sp2-schemas 2.4.3+dfsg-2~bpo60+1 Federated web single sign-on system (schemas)

Attachments

2

Activity

Scott Cantor March 29, 2012 at 3:04 AM

Was fixed in log4shib 1.0.4

Scott Cantor March 29, 2012 at 3:03 AM

Looks like the same issue I fixed here.

Scott Cantor March 29, 2012 at 3:02 AM

There is a difference between log4cpp and log4shib, specifically it's lacking the fix for this bug:

https://issues.shibboleth.net/jira/browse/SSPCPP-265

I thought that had been fixed upstream a while ago, but I guess not.

That breaks vararg params of large size on x86_64 archs. So, that's your bug, I think.

Scott Cantor March 29, 2012 at 2:33 AM

This isn't definitive, but I ran a test on a Red Hat box with logging turned up, and the URL you provided with the hostname changed. It's logging that successfully, with no crash.

That could mean that the bug is something I fixed in log4shib (unlikely, but possible), or it could mean that there's a glibc difference with Debian.

The code in log4shib is very clearly doing the right thing and growing a buffer gradually, checking the result code from vsnprintf as documented in the man page. If it were crashing, I'd be pretty confident that either there's a vararg limitation involved, or glibc had a bug.

I don't know what the comparable StringUtil.cpp code in log4cpp looks like on Debian. I'll take a look when I have a chance.

scott.koranda@ligo.org March 29, 2012 at 2:22 AM
Edited

I confirm that if logging isn't on DEBUG then the Apache child processes do not segfault.

Duplicate

Details

Assignee

Reporter

Components

Affects versions

Created March 29, 2012 at 1:58 AM
Updated June 22, 2021 at 7:51 PM
Resolved March 29, 2012 at 3:04 AM