Backtrace php4-imap/apache SEGV

[Jeroen van Wolffelaar <jeroen@wolffelaar.nl>]

Hi All,

I have a stable reporduction case now in a chroot, and have succeed in
getting backtraces out of it.

It is with a recompiled libssl0.9.7, without the db_strip, to get a more
useful one. As I don't know much about gdb, any hints on getting better
backtraces would be appreciated (I now just gdb'd /usr/sbin/apache with
-X -F)

If I understand things correctly, the SEGV happens deep in libssl0.9.7
(therefore the CC to it's maintainer), as this looks like insufficient
error handling, but of course, this is just speculation.

The problem is the starting point, mail_getquota. It's an internal
function in PHP's imap module, used ONLY when the corresponding PHP
functions are called. However, the SIGSEGV happens at startup, and in ny
whole fscking chroot there is no single php script anywhere.

So, it gets wrongly called? Then there must be a serious fuckup of
symbols somewhere, or otherwise I really don't understand. It also
states about a possible stack overwrite at the end of the bt, so there
is an accidental buffer overflow somewhere? Or is this function called
somehow on startup... that would be really wierd.

In the case of the buffer overflow, I guess that stack trace is useless
and just plain wrong?

Any pointers on how to check this issue better?

(my versions:
 apache 1.3.29.0.1-5
 php4 4:4.3.3-4 (oops, indeed, chroot was not fully uptodate)
 php4-imap 4:4.3.3-5 (but this was, as it was newly installed)
 libssl0.9.7 0.9.7c-5~notstripped-by-jeroen)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076541248 (LWP 27379)]
0x401ea010 in strcmp () from /lib/tls/libc.so.6
(gdb) bt
#0  0x401ea010 in strcmp () from /lib/tls/libc.so.6
#1  0x447996f4 in ?? ()
#2  0x448221e4 in obj_name_cmp () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#3  0x447996f4 in ?? ()
#4  0x448cb6f4 in empty.0 () from /usr/lib/i686/cmov/libssl.so.0.9.7
#5  0x00000001 in ?? ()
#6  0x00000010 in ?? ()
#7  0x448998c4 in __JCR_LIST__ () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#8  0x080eb220 in ?? ()
#9  0x080eae78 in ?? ()
#10 0x4481dd24 in getrn () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#11 0x03149d58 in ?? ()
#12 0x080eae78 in ?? ()
#13 0x448cafc9 in ?? () from /usr/lib/i686/cmov/libssl.so.0.9.7
#14 0x080eb1e0 in ?? ()
#15 0x4481d8b5 in lh_insert () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#16 0x080eae78 in ?? ()
#17 0x080eb1e0 in ?? ()
#18 0xbffff2b8 in ?? ()
#19 0x44822383 in OBJ_NAME_add () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#20 0x080eb1e0 in ?? ()
#21 0x448d21c4 in ?? () from /usr/lib/i686/cmov/libssl.so.0.9.7
#22 0x03149d58 in ?? ()
#23 0x448998c4 in __JCR_LIST__ () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#24 0x080eae78 in ?? ()
#25 0x448cafc9 in ?? () from /usr/lib/i686/cmov/libssl.so.0.9.7
#26 0xbffff7b8 in ?? ()
#27 0x4482236b in OBJ_NAME_add () from /usr/lib/i686/cmov/libcrypto.so.0.9.7
#28 0x080eae78 in ?? ()
#29 0x080eb1e0 in ?? ()
#30 0x000000ba in ?? ()
#31 0x00008001 in ?? ()
#32 0x448d2050 in __JCR_LIST__ () from /usr/lib/i686/cmov/libssl.so.0.9.7
#33 0x448cafc9 in ?? () from /usr/lib/i686/cmov/libssl.so.0.9.7
#34 0x4461c470 in mail_getquota () from /usr/lib/php4/20020429/imap.so
Previous frame inner to this frame (corrupt stack?)
(gdb)



-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl