You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2005/09/14 21:21:21 UTC

mod_mbox still core dumping on ajax

There are now around 1700 core files in ajax:/raid1/httpd-cores
I see at least two separate bugs.

I hate to ask, but should we consider mod_mbox unmaintained at this point?

Joshua.

Re: mod_mbox still core dumping on ajax

Posted by Joshua Slive <jo...@slive.ca>.

Paul Querna wrote:
> Joshua Slive wrote:
>> There are now around 1700 core files in ajax:/raid1/httpd-cores
>> I see at least two separate bugs.
> 
> Can you post backtraces?  We fixed the crashes you posted back on 8/25.

Yes, but I did mention that there were others.

Three backtraces are attached below.  They all seem to be null-pointer 
related, and therefore probably not exploitable.  I hope.

Joshua.

#0  mbox_cache_get_count (mli=0x60000000001f57a0, 
count=0x60000fffffffa5d0, path=0x60000000001f6208 "200506.mbox")
     at mbox_cache.c:247
247             memcpy(count, nv.dptr, sizeof(int));
(gdb) where
#0  mbox_cache_get_count (mli=0x60000000001f57a0, 
count=0x60000fffffffa5d0, path=0x60000000001f6208 "200506.mbox")
     at mbox_cache.c:247
#1  0x200000000100e250 in show_index_file_info (r=0x600000000020cae0, 
mli=0x60000000001f57a0,
     path=0x60000000001f6208 "200506.mbox") at mod_mbox_index.c:84
#2  0x200000000100e8a0 in generate_mbox_index (r=0x600000000020cae0) at 
mod_mbox_index.c:187
#3  0x40000000000358f0 in ap_run_handler (r=0x600000000020cae0) at 
config.c:153
#4  0x40000000000368d0 in ap_invoke_handler (r=0x600000000020cae0) at 
config.c:317
#5  0x400000000002f460 in ap_process_request (r=0x600000000020cae0) at 
http_request.c:226
#6  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9610) at http_core.c:233
#7  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9610) at connection.c:43
#8  0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#9  0x4000000000032540 in make_child (s=0x60000000000703e0, slot=370) at 
prefork.c:704
#10 0x4000000000032ae0 in perform_idle_server_maintenance (p=0xb) at 
prefork.c:839
#11 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#12 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618
(gdb) print nv
$1 = {dptr = 0x0, dsize = 0}




#0  fetch_message (r=0x6000000000208860, f=0x6000000000217b88) at 
mod_mbox_file.c:746
746         if (!(multipart && mctx->get_part != 0)) {
(gdb) where
#0  fetch_message (r=0x6000000000208860, f=0x6000000000217b88) at 
mod_mbox_file.c:746
#1  0x200000000100da80 in mbox_file_handler (r=0x6000000000208860) at 
mod_mbox_file.c:951
#2  0x40000000000358f0 in ap_run_handler (r=0x6000000000208860) at 
config.c:153
#3  0x40000000000368d0 in ap_invoke_handler (r=0x6000000000208860) at 
config.c:317
#4  0x400000000002f460 in ap_process_request (r=0x6000000000208860) at 
http_request.c:226
#5  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9800) at http_core.c:233
#6  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9800) at connection.c:43
#7  0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#8  0x4000000000032540 in make_child (s=0x600000000008ec90, slot=165) at 
prefork.c:704
#9  0x4000000000032ae0 in perform_idle_server_maintenance (p=0x4) at 
prefork.c:839
#10 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#11 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618
(gdb) print mctx
$1 = (mbox_mpartf_ctx *) 0x0



(gdb) where
#0  0x20000000009f8300 in strstr () from /lib/tls/libc.so.6.1
#1  0x200000000100b6c0 in mbox_mpart_filter (f=0x6000000000247ee0, 
bb=0x6000000000247f50) at mod_mbox_file.c:370
#2  0x4000000000052fc0 in ap_pass_brigade (next=0x6000000000247ee0, 
bb=0x6000000000247f50) at util_filter.c:488
#3  0x200000000100c820 in fetch_message (r=0x600000000023ee60, 
f=0x6000000000207f80) at mod_mbox_file.c:763
#4  0x200000000100da80 in mbox_file_handler (r=0x600000000023ee60) at 
mod_mbox_file.c:951
#5  0x40000000000358f0 in ap_run_handler (r=0x600000000023ee60) at 
config.c:153
#6  0x40000000000368d0 in ap_invoke_handler (r=0x600000000023ee60) at 
config.c:317
#7  0x400000000002f460 in ap_process_request (r=0x600000000023ee60) at 
http_request.c:226
#8  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9ca0) at http_core.c:233
#9  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9ca0) at connection.c:43
#10 0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#11 0x4000000000032540 in make_child (s=0x60000000000bfdc0, slot=290) at 
prefork.c:704
#12 0x4000000000032ae0 in perform_idle_server_maintenance (p=0x6) at 
prefork.c:839
#13 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#14 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618

Re: mod_mbox still core dumping on ajax

Posted by Paul Querna <ch...@force-elite.com>.

Joshua Slive wrote:
> There are now around 1700 core files in ajax:/raid1/httpd-cores
> I see at least two separate bugs.

Can you post backtraces?  We fixed the crashes you posted back on 8/25.

> I hate to ask, but should we consider mod_mbox unmaintained at this point?

No, just maintained by people who have been busy.

-Paul

Re: mod_mbox still core dumping on ajax

Posted by Maxime Petazzoni <ma...@bulix.org>.

> I hate to ask, but should we consider mod_mbox unmaintained at this
> point?

http://mail-archives.apache.org/mod_mbox/httpd-dev/200509.mbox/%3c20050902000956.GT4873@bulix.org%3e

And still no answer ...

Regards,
- Sam
-- 
Maxime Petazzoni (http://www.bulix.org)
 -- gone crazy, back soon. leave message.