[Fwd: Suhosin Segmentation Fault]

Jeremy Chadwick koitsu at FreeBSD.org
Wed Oct 15 13:14:56 PDT 2008 

On Wed, Oct 15, 2008 at 10:01:13PM +0200, Alain Wolf wrote:
> On 15.10.2008 20:55, Jeremy Chadwick wrote:
> > On Wed, Oct 15, 2008 at 07:25:08PM +0200, Alain Wolf wrote:
> >> Not much return on freebsd-isp.
> >> I try again here on freebsd-questions.
> >>
> >> -------- Original-Nachricht --------
> >> Betreff: Suhosin Segmentation Fault
> >> Datum: Mon, 13 Oct 2008 09:49:09 +0200
> >> Von: Alain Wolf <wolf at k18.ch>
> >> An: freebsd-isp at freebsd.org
> >> Newsgruppen: gmane.os.freebsd.isp
> >>
> >> After upgrading FreeBSD from 6.3-p3 to 6.3-p5 on our server, all
> >> websites just display a blank page and every HTTP request created a line
> >> as follows in the logs:
> >>
> >> child pid 80326 exit signal Segmentation fault (11)
> >>
> >> This same problem happened on another server a few months ago after the
> >> upgrade from 6.3-p3 to 6.3-p4, but after a rebuild of all FreeBSD ports
> >> all went back to normal. However several rebuilds of all ports did not
> >> solve the problem on this one.
> >>
> >> To narrow down the problem: After disabling the PHP module in Apache the
> >> problem disappears.
> >>
> >> Re-enabling PHP, but disabling the Suhosin extension also works fine.
> >>
> >> The trick found in this  forum, to load the Suhosin extension before all
> >> other PHP extensions in /usr/local/etc/php/extensions.ini does not help.
> >> In fact not loading any extension at all except Suhosin creates the
> >> segfault errors.
> > 
> > Suhosin is not an extension you load in extensions.ini; it's a patch
> > applied to the core of PHP.
> 
> Suhosin is *both*. A patch for php and a extension module for PHP.
> 
> >From http://www.hardened-php.net/suhosin/index.html:
> Suhosin comes in two independent parts, that can be used separately or
> in combination. The first part is a small patch against the PHP core,
> that implements a few low-level protections against bufferoverflows or
> format string vulnerabilities and the second part is a powerful PHP
> extension that implements all the other protections.

Except their own website contradicts themselves in many other places,
including on their forums *and* in other documentation.  I can refer you
to some documentation of theirs that states "Suhosin extension sometimes
causes other extensions to crash because they try to access internal
variables wrongly".

You are supposed to use one or the other: the patch, or the extension.
You've probably read my other mail by now, so you know that I advocate
use of the patch.

> The suhosin patch works fine on our servers. But the extension does not.

So disable it and use only the patch -- problem solved.

I'm CC'ing ale@ on this thread, because he's probably not on -questions,
and this has now become a -ports thing.  He can comment on what to do
about these crashes.

I'm of the opinion that security/php-suhosin should be nuked, especially
if the patch works fine for everyone but the extension causes problems.

> > The extension ordering problem, however, has been thoroughly discussed
> > on -ports in the past.  It happens to some and not others.  There is no
> > guaranteed way to determine what works and what doesn't.  You have to
> > literally enable line-by-line until you figure out which one is causing
> > the problem.
> 
> I tried enabling and disabling extensions. All of them work, as long as
> suhosin.so is not loaded. Regardless of the order.
> 
> If I disable all other extensions and load only suhosin.so in
> /usr/local/etc/php/extensions.ini the apache processes are still crashing.
> 
> > 
> > You can also try building lang/php5 with DEBUG enabled and then when PHP
> > segfaults, run gdb on the coredump and see if you can get a coherent
> > backtrace (sometimes difficult with Apache in the way) to see what sort
> > of functions are causing the crash; often each extension has its own
> > function names, so that might give you some clues.
> Hard for me, as this disrupts customer services. We are running without
> the extensions for now.
> 
> > 
> >> PHP (cli) seems to run fine at all times when called from the command-line.
> > 
> > Now that's very interesting, given as the CLI version also loads all the
> > extensions listed in extensions.ini.
> > 
> > Can you post your /usr/local/etc/php/extensions.ini?  You didn't list
> > off what extensions you have installed.
> > 
> 
> cat /usr/local/etc/php/extensions.ini
> extension=gd.so
> extension=ctype.so
> extension=pcre.so
> extension=session.so
> extension=bz2.so
> extension=openssl.so
> extension=zlib.so
> extension=mbstring.so
> extension=mysql.so
> extension=pdf.so
> extension=mcrypt.so
> extension=simplexml.so
> extension=spl.so
> extension=mysqli.so
> extension=xml.so
> extension=iconv.so
> extension=hash.so
> extension=tokenizer.so
> extension=calendar.so
> extension=ftp.so
> extension=xmlrpc.so
> extension=xmlwriter.so
> extension=zip.so
> extension=filter.so
> ;extension=suhosin.so
> extension=wddx.so
> extension=mhash.so
> extension=json.so
> extension=dom.so
> extension=xmlreader.so
> extension=exif.so
> extension=ncurses.so
> extension=gettext.so
> extension=ldap.so
> extension=pdo.so
> extension=soap.so
> extension=tidy.so
> extension=pdo_sqlite.so
> extension=apc.so
> extension=readline.so
> extension=xsl.so
> extension=curl.so
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list