Date: Thu, 21 Jun 2012 04:39:11 -0400 From: Michael Powell <nightrecon@hotmail.com> To: freebsd-questions@freebsd.org Subject: Re: apache PHP suhosin load Message-ID: <jrumj8$b1o$1@dough.gmane.org> References: <CAEFCw4uyugX6t2PEJREVZMRCnKhmBz81QXS2MGvYBX3O6-HWaQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
n dhert wrote: > On FreeBSD 8.3 I have apache22 web server with PHP. PHP is PHP52 for > compatibility with existing applications, but the most recent version > in the php52 branch > $ php --version > PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: May 7 2012 08:45:58) > >>From time to time, I notice in a top output, that a huge number of httpd > daemons are being started, making the load rapidly increase to levels of > 5, 10, 15, ... and very slow interactive respons ... > > Stopping apache makes the load rapidly decrease to a normal level. > > I noticed at the console, at stopping apache, several messages such as > > Jun 14 09:12:20 macos kernel: Jun 14 09:12:20 macos suhosin[28824]: ALERT > - canary mismatch on efree() - heap overflow detected (attacker > 'REMOTE_ADDR not set', file > '/home/wins/win/win/www/wiki/mediawiki-1.16.0/includes/AutoLoader.php', > line 654) > > (the file value differs, but it's always "suhosin .. canany mismatch > - heap overflow detected") > My PHP has following options set > # cd /usr/ports/lang/php52 > > My PHP has following options set > # cd /usr/ports/lang/php52 > # make showconfig > ===> The following configuration options are available for php52-5.2.17_8: > CLI=on: Build CLI version > CGI=on: Build CGI version > APACHE=on: Build Apache module > DEBUG=off: Enable debug > SUHOSIN=on: Enable Suhosin protection system (not for jails) > MULTIBYTE=off: Enable zend multibyte support > IPV6=on: Enable ipv6 support > MAILHEAD=off: Enable mail header patch > REDIRECT=off: Enable force-cgi-redirect support (CGI only) > DISCARD=off: Enable discard-path support (CGI only) > FASTCGI=on: Enable fastcgi support (CGI only) > FPM=off: Enable fastcgi process manager (CGI only) > PATHINFO=on: Enable path-info-check support (CGI only) > LINKTHR=off: Link thread lib (for threaded extensions) > > Is that heap overlow causing the trouble? Has suhosin to do something with > it? Most likely - yes. I noticed in your config above you built and installed the Apache PHP module in addition to CGI/FastCGI. If you are running Apache in a FastCGI mode you should check and make sure the following is indeed commented out like below: #LoadModule php5_module libexec/apache22/libphp5.so The general purpose meaning of this error is that PHP has detected some form of memory corruption. But as to why/what exactly it doesn't help much. The general way I used to look at Apache and PHP problems was to isolate pieces. Like only loading the core PHP and no extensions by renaming the extensions.ini to extensions.ini.bak. This is bound to cause problems as most PHP apps today require a certain basic number of modules enabled in order to work. 2 things to troubleshoot looking for a bad module: comment each out one at a time and restart. When you comment out the bad one you will no longer see the error. Another second item to be aware of is sometimes certain module combinations need to be loaded in extensions.ini in a specific order. Figuring out this order can be nightmarish, should it ever actaully be found to be a problem. Long time ago someone wrote a script to automate this. I seem to have a distant memory that back in early PHP 5.2.x days I had a problem with the mcrypt module. Maybe try commenting that one out first. If you don't need it leave it that way. I also seem to have experienced this error a second time, and it was from a bad interaction between Suhosin patch and two other build options being enabled, one was the Mailhead and I don't remember what the other one was(maybe it was IPv6). I found when I disabled these 2 things I could build with the Suhosin patch and stuff ran correctly. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?jrumj8$b1o$1>