A lot of people have problems with PHP the language, but I’ve never come into this problem involving Apache PHP module before.
A long time customer got back in touch with me. A web app he’s been working on was getting ready to go prime time and they ran a security audit on the server. That audit found several things wrong, and strongly recommended an upgrade to PHP 5.2.10. As of this writing, PHP 5.2.10 was very new and Debian testing didn’t even have a package for it yet. So I fiddled around and finally found did the right combination of pinning to install PHP 5.2.10 from unstable. If you are thinking “Yikes!” then you are already ahead of me.
The next day, I get an email saying that their webapp just stops. I get on and, sure enough, sometimes, randomly, you get a blank page. Not a 404, 405, or another error — just a blank white page. A reload it works fine. I checked out /var/log/apache2/error.log and see tons of messages with the following:
[notice] child pid 24483 exit signal Segmentation fault (11) [notice] child pid 24485 exit signal Segmentation fault (11) [notice] child pid 24481 exit signal Segmentation fault (11) [notice] child pid 24489 exit signal Segmentation fault (11)
Oh, that’s bad. Playing around with it demonstrates that the seg fault happens when the page doesn’t show up — just like I thought.
Now I get into detective mode and try to figure out what the heck is going on. I found DotDeb, which makes fresh Debian packages for older releases — like PHP 5.2.10! But the installers of that package was having the same problems I had. By careful reading, it seems that Debian installed at least part of the Suhosin patch and that seems to be culprit. Users commented that disabling it seemed to stop the seg faults — but how do you do that?
I looked at the configurations in /etc/php5 and there was a file in conf.d called suhosin.ini, but no mention of it in the main apache2/php.ini file (the main PHP config for Apache2). In a lark I moved suhosin.ini to suhosin.ini.bad and restarted Apache. And the problem when away. Like magic.
This is the problem when you are forced to always have the latest and greatest tools. And PHP is a hard one — you are always chasing your tail with it’s security. But it really should “just work”.
