# grsec problem, imapd / apache causes segmentation fault

## drtebi

Well first of all, I have searched the forum now for a while, but could not find an answer specific to my problem.

So, let me try to explain what's happening:

I have gentoo 1.4 running now for about 5 month, and had no problems at all. I just recently upgraded apache to 1.3.27 with PHP 4.3.1, which I do "manually", not with emerge. This all works fine, never causes problems, errors, sementation faults or whatsoever.

I also have emerged:

sys-apps/daemontools-0.76-r1

sys-apps/ucspi-tcp-0.88-r3

net-mail/mailbase-0.00-r4

net-mail/dot-forward-0.71

net-mail/checkpassword-0.90

net-mail/qmail-1.03-r8

net-mail/vpopmail-5.2.1-r2

net-mail/courier-imap-1.7.0

dev-db/mysql-3.23.52-r1

At first I only used POP and SMTP for email purposes, it works great. Now several customers asked for a webmail, so I found some webmail in PHP and tried to use it with IMAP. This is where I run into problems.

After fiddelling with IMAP for a while, I finally was able to login to the IMAP account from a remote machine with no problems, via telnet, outlook express or whatever. 

I can also login by running the command imapd at the server from the command line, and then login as a system user.

However, the same does not work when I try to login as a virtual user (which should then be handled by the authdaemond daemon I suppose).

Anyway, the worst thing for me is that I cannot use the webmail software. I first thought it might be the PHP scripts itself, so I just "trimmed it down" to the imap_open example on the PHP manual page, and running that code does shutdown the apache child and returns then an emtpy page.

This is what I find in /var/everything/current:

```

May 26 19:06:16 [imapd] Connection, ip=[66.252.11.11]

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], command=CAPABILITY

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], command=LOGIN

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], username=user@nowebmail.net

May 26 19:06:16 [imapd] LOGIN, user=user@nowebmail.net, ip=[66.252.11.11]

May 26 19:06:16 [kernel] grsec: signal 11 sent to (httpd:30850) UID(65534) EUID(65534), parent (httpd:29604) UID(0) EUID(0)

May 26 19:06:16 [imapd] DISCONNECTED, user=user@nowebmail.net, ip=[66.252.11.11], headers=0, body=0

May 26 19:06:16 [imapd] Connection, ip=[66.252.11.11]

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], command=CAPABILITY

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], command=LOGIN

May 26 19:06:16 [imapd] LOGIN: DEBUG: ip=[66.252.11.11], username=user@nowebmail.net

May 26 19:06:16 [imapd] LOGIN, user=user@nowebmail.net, ip=[66.252.11.11]

May 26 19:06:16 [imapd] DISCONNECTED, user=user@nowebmail.net, ip=[66.252.11.11], headers=0, body=0

```

And this is what I find in my apache error log:

```

[Mon May 26 18:48:31 2003] [notice] child pid 29045 exit signal Segmentation fault (11)

[Mon May 26 18:48:31 2003] [notice] child pid 30121 exit signal Segmentation fault (11)

[Mon May 26 18:48:32 2003] [notice] child pid 2577 exit signal Segmentation fault (11)

[Mon May 26 19:01:42 2003] [notice] child pid 7507 exit signal Segmentation fault (11)

[Mon May 26 19:01:42 2003] [notice] child pid 7462 exit signal Segmentation fault (11)

[Mon May 26 19:06:16 2003] [notice] child pid 30850 exit signal Segmentation fault (11)

[Mon May 26 19:06:17 2003] [notice] child pid 28827 exit signal Segmentation fault (11)

```

I realize that there is a FAQ about the segmentation fault (11) and hardware problems, but after reading through the FAQs, I am positive that this must be a software problem I cannot figure out. I never have any segmentation fault errors with anything else, no random errors etc. I also do use ECC memory, the vendor's recommended chips etc.

Last but not least I should note that I am running a server at home that's almost identical in hardware and software, and everything works on this server. The one difference is that the one at home does not have grsecurity installed. Is there a chance that this is my problem?

Thanks for any response.

----------

## kanuso

In principle, it hasn't anything to do with grsecurity. It could, of course, but it isn't related with the line in syslog, that is just a warning about the process receiving a signal 11 (segmentation fault) signal.

The problem could arise from compilation flags or configuration error. The tracer strace is really handy for this cases. Just emerge it, and run:

/etc/init.d/apache stop

strace -s 2048 -ff -o /tmp/straceapache /etc/init.d/apache start

Then just make the query that segfaults apache, and shutdown apache. You'll have some files like /tmp/straceapache*, and in one of them you'll be able to see the segmentation fault, and just before this what was doing apache when segfaulted.

Hope this helps you.

----------

## drtebi

Thank you so much for your advise,

I have followed your directions to use strace, and got some interesting output from strace. However, I must admit I don't exactly understand how to trace the error in these files...

I would greatly appreciate it if you could help me further. Here is a short part of the output right before the segfault:

```

close(7)                                = 0

munmap(0x40016000, 4096)                = 0

alarm(0)                                = 0

time(NULL)                              = 1054223150

time(NULL)                              = 1054223150

select(7, NULL, [6], [6], NULL)         = 1 (out [6])

time(NULL)                              = 1054223150

write(6, "00000001 LOGIN info@mydomain.com password\r\n", 43) = 43

time(NULL)                              = 1054223150

time(NULL)                              = 1054223150

select(7, [6], NULL, [6], NULL)         = 1 (in [6])

time(NULL)                              = 1054223150

read(6, "00000001 OK LOGIN Ok.\r\n", 8192) = 23

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

time(NULL)                              = 1054223150

time(NULL)                              = 1054223150

select(7, NULL, [6], [6], NULL)         = 1 (out [6])

time(NULL)                              = 1054223150

write(6, "00000002 CAPABILITY\r\n", 21) = 21

time(NULL)                              = 1054223150

time(NULL)                              = 1054223150

select(7, [6], NULL, [6], NULL)         = 1 (in [6])

time(NULL)                              = 1054223150

read(6, "* CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE\r\n00000002 OK CAPABILITY completed\r\n", 8192) = 141

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

alarm(0)                                = 0

time(NULL)                              = 1054223150

alarm(0)                                = 0

alarm(0)                                = 0

--- SIGSEGV (Segmentation fault) ---

```

Well, of course there is many more strace files... I am happy to send you those, well, that would be better than posting it all here I suppose.

I would appreaciate any help... please.

----------

## kanuso

Have you tried to emerge PHP without SSL support, or add a /notls to the host parameter of open_imap (or imap_open, or else...) function in the php code?

I'm not actually sure if this could help, but I got many problems after authentication because of imap support in php using ssl. It wasn't THIS problem, but it may make sense if you had some problem with ssl headers, etc...

----------

## drtebi

Hello,

I re-emerged uw-imap without ssl support, and then rebuild PHP (I install it from source) without the "--with-imap-ssl" configure option. It still did not work and gave me the same errors.

You mentioned 

 *Quote:*   

> 
> 
> The problem could arise from compilation flags or configuration error.

 

... and while I was on the search on the 'net, I found that that is probably my reason.

Well, but instead of unmerging all the programs I installed already, and re-emerging them with the most basic CFLAGS (I had mine set in make.conf to CFLAGS="-march=pentium4 -O3 -pipe", which I thought was correct), I did something else... 

I have a similar machine at my house, with almost the same hardware and pretty much the same Gentoo setup. On the home-machine, everything with IMAP etc. worked just great, so I just uploaded the httpd file from the home-server to my production server. And it works!

So, I am sure there is many dangers of this... well, is there really? Please slap me and tell me all that could go wrong now  :Wink:  So far I have no errors at all.

----------

## kanuso

From /etc/make.conf :

```
# CRITICAL WARNINGS: ****************************************************** #

# ATHLON-4 will generate invalid SSE  instructions; use 'athlon'   instead. #

# PENTIUM4 will generate invalid SSE2 instructions; use 'pentium3' instead. #

# ************************************************************************* #
```

Try changing the CFLAG and remerging mm, gdbm,  openssl, mod_php and apache. The problem could just be that the httpd binary is "corrupted" because of compilation flags.

In fact, I would recommend you to rebuild all your system with emerge -e world. If you have more PC with the cflag pentium4, you may want to use emerge's -b option to generate "packets", and -k to use them on the other PCs in order to avoid compiling the same ebuilds in all your machines.

----------

## drtebi

Well,

I will consider doing this before I will rebuild apache again.

However, the "home system" did not have the pentium4 flag set, it's a pentium 3 anyway. So the compiled httpd binary that I copied from the "home server" to the "production server" should be correct then, right?

----------

## kanuso

 *drtebi wrote:*   

> However, the "home system" did not have the pentium4 flag set, it's a pentium 3 anyway. So the compiled httpd binary that I copied from the "home server" to the "production server" should be correct then, right?

 

Yes, the binary may be correct, but the libraries and shared modules it uses (along with some other random packages) could be not.

----------

