nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11

Robert Paprocki rpaprocki at fearnothingproductions.net
Sat Jan 23 02:49:44 UTC 2016 

The modsec devel team is working hard on the new libmodsecurity. You may just be better off waiting for them to put the finishing touches on that project. Nginx + modsec 2.9 likely will get no dev attention moving forward, given that the whole system is being revamped now. 

Sent from my iPhone

> On Jan 22, 2016, at 16:44, Lukas <l at ymx.ch> wrote:
> 
> Dear all
> 
>> Lukas <l at ymx.ch> [2016-01-10 14:39]:
>> 
>> Fascinated by nginx, I attempted to integrate it with modsecurity.
>> 
>> Unfortunately, ever when modsecurity is enabled, nginx reports a
>> sefault in sysmessages.
> 
> I tried debugging the issue a bit further (from a user perspective)
> with common web-page and CalDAV with the following results:
> 
> * nginx with modsecurity switched off works perfectly as a proxy nginx
> * nginx with modsecurity switched on with one owasp rule-set
>  (modsecurity_crs_20_protocol_violations.conf) works for common
>  web-pages with multi-media content (quick test without any errors
>  reported)
> * nginx with modsecurity switched on with one owasp rule-set
>  (modsecurity_crs_20_protocol_violations.conf) does not work for
>  CalDAV.
>  error.log: 2016/01/23 01:19:07 [emerg] 4844#0: *7 posix_memalign(16,
>  4096) failed (12: Cannot allocate memory) while logging request
> * nginx with modsecurity switched on without any ruleset
>  does not work for CalDAV -- same error
> * nginx with modsecurity switched off without any ruleset
>  does work for CalDAV perfectly.
> 
> With modsecurity switched on, an Out-of-Memory exception took place
> always reporting:
> 
> [876715.533926] nginx invoked oom-killer: gfp_mask=0x280da, order=0, oom_score_adj=0
> [876715.533930] nginx cpuset=/ mems_allowed=0
> [876715.533936] CPU: 0 PID: 4844 Comm: nginx Not tainted 4.3.3-consecom-ag #1
> [876715.533937] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf 04/01/2014
> [876715.533939]  f5a53ed0 d52542a6 f5a6b7c0 d5110792 d55a6db0 f5a6bab4 000280da 00000000
> [876715.533943]  00000000 ffffffff 0d3f1361 00031d5e f4929cb8 00200282 f4929cb8 f4929cb0
> [876715.533946]  d50babb7 00200206 d525956e 00000002 00000002 f5020840 f5020bc4 d55a5702
> [876715.533949] Call Trace:
> [876715.533955]  [<d52542a6>] ? dump_stack+0x3e/0x58
> [876715.533959]  [<d5110792>] ? dump_header.isra.8+0x65/0x1be
> [876715.533963]  [<d50babb7>] ? delayacct_end+0x47/0xa0
> [876715.533967]  [<d525956e>] ? ___ratelimit+0x7e/0xe0
> [876715.533970]  [<d50d0fa9>] ? oom_kill_process+0x1d9/0x380
> [876715.533973]  [<d51e9d3a>] ? security_capable_noaudit+0x3a/0x60
> [876715.533977]  [<d5047b0b>] ? has_ns_capability_noaudit+0xb/0x20
> [876715.533979]  [<d50d0b76>] ? oom_badness+0x96/0x100
> [876715.533981]  [<d50d1402>] ? out_of_memory+0x252/0x320
> [876715.533984]  [<d50d4f5e>] ? __alloc_pages_nodemask+0x77e/0x7a0
> [876715.533989]  [<d50efd24>] ? handle_mm_fault+0xd54/0xf50
> [876715.533990]  [<d50f2cef>] ? vma_merge+0x1bf/0x280
> [876715.533992]  [<d50f414a>] ? do_brk+0x1ca/0x2b0
> [876715.533995]  [<d5037657>] ? __do_page_fault+0x137/0x3a0
> [876715.533998]  [<d50379f0>] ? vmalloc_sync_all+0x130/0x130
> [876715.534001]  [<d54d3566>] ? error_code+0x5a/0x60
> [876715.534003]  [<d50379f0>] ? vmalloc_sync_all+0x130/0x130
> [876715.534004] Mem-Info:
> [876715.534008] active_anon:543864 inactive_anon:208884 isolated_anon:0
> [876715.534008]  active_file:54 inactive_file:77 isolated_file:0
> [876715.534008]  unevictable:0 dirty:1 writeback:0 unstable:0
> [876715.534008]  slab_reclaimable:326 slab_unreclaimable:997
> [876715.534008]  mapped:88 shmem:4 pagetables:957 bounce:0
> [876715.534008]  free:21502 free_pcp:289 free_cma:0
> [876715.534014] DMA free:12152kB min:64kB low:80kB high:96kB active_anon:1676kB inactive_anon:1928kB active_file:8kB inactive_file:4kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15916kB mlocked:0kB dirty:0kB writeback:0kB mapped:8kB shmem:0kB slab_reclaimable:16kB slab_unreclaimable:76kB kernel_stack:8kB pagetables:20kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:120 all_unreclaimable? yes
> [876715.534016] lowmem_reserve[]: 0 839 3023 3023
> [876715.534021] Normal free:73380kB min:3528kB low:4408kB high:5292kB active_anon:386788kB inactive_anon:386844kB active_file:208kB inactive_file:276kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:892920kB managed:859928kB mlocked:0kB dirty:4kB writeback:0kB mapped:324kB shmem:0kB slab_reclaimable:1288kB slab_unreclaimable:3912kB kernel_stack:672kB pagetables:3808kB unstable:0kB bounce:0kB free_pcp:564kB local_pcp:564kB free_cma:0kB writeback_tmp:0kB pages_scanned:115004 all_unreclaimable? yes
> [876715.534022] lowmem_reserve[]: 0 0 17471 17471
> [876715.534027] HighMem free:476kB min:512kB low:2808kB high:5104kB active_anon:1786992kB inactive_anon:446764kB active_file:0kB inactive_file:28kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:2236296kB managed:2236296kB mlocked:0kB dirty:0kB writeback:0kB mapped:20kB shmem:16kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:592kB local_pcp:592kB free_cma:0kB writeback_tmp:0kB pages_scanned:7836 all_unreclaimable? yes
> [876715.534028] lowmem_reserve[]: 0 0 0 0
> [876715.534030] DMA: 4*4kB (E) 7*8kB (UE) 5*16kB (UEM) 3*32kB (U) 2*64kB (EM) 2*128kB (EM) 3*256kB (UEM) 1*512kB (E) 2*1024kB (UE) 2*2048kB (UE) 1*4096kB (M) = 12152kB
> [876715.534039] Normal: 149*4kB (UEM) 108*8kB (UEM) 63*16kB (UE) 32*32kB (UEM) 10*64kB (UE) 11*128kB (UEM) 5*256kB (UE) 2*512kB (EM) 2*1024kB (UM) 3*2048kB (UEM) 14*4096kB (M) = 73380kB
> [876715.534047] HighMem: 1*4kB (U) 1*8kB (U) 1*16kB (M) 2*32kB (UM) 0*64kB 1*128kB (M) 1*256kB (M) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 476kB
> [876715.534054] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=4096kB
> 
> Thanks for any hints
> 
> Lukas
> 
> 
> -- 
> Lukas Ruf       <http://www.lpr.ch> | Ad Personam
> Consecom  <http://www.consecom.com> | Ad Laborem
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list