Segfaults in libfreeblpriv3.so after upgrading to RHEL/CentOS 6.8

By | June 27, 2016

Please be aware of the following bug in RHEL and CentOS 6.8 when using Xen as your Hypervisor. We experienced this issue on a couple of servers after updating CentOS after which some websites were starting to serve “503 Service Unavailable” or “404 Page not found” errors. The website related logfiles didn’t show any issues, only “dmesg” contains one or more of the following errors:

php-fpm70[6523] trap invalid opcode ip:7f3a78704d60 sp:7fff6426b838 error:0 in libfreeblpriv3.so[7f3a786b2000+72000]

Also cURL could not connect to URLs behind https, this exited with error: Illegal Instruction

We solved this issue by downgrading the NSS packages:

Then restart your services.

 

CentOS related page: https://bugs.centos.org/view.php?id=10930

RHEL related page: https://access.redhat.com/solutions/2313911

Environment

  • Red Hat Enterprise Linux (RHEL) and CentOS 6.8
  • XEN Hypervisor

Issue

Segfaults in libfreeblpriv3.so after upgrading to RHEL 6.8. This is affecting some components that utilize nss libraries. Currently these include:

  • Apache child processes are crashing when they are using SSL
  • Calls to curl libraries that access web sites secured via https are segfaulting

Resolution

A resolution has not yet been identified. Red Hat engineers are treating this as a high-severity issue which is being actively worked on.

Root Cause

Although RHEL 6.8 does not fully support AVX extensions some packages are still aware of the availability of AVX extensions. The nss-softoken package attempts to use AVX extensions to accelerate AES encryption operations, and this accelerated encryption operation fails.

Note: This issue has been reported on RHEL 6 guests running on a XEN hypervisor with processors that have AVX extensions.

Diagnostic Steps

  • One known reproducer is as simple as having curl installed and running ”’/usr/bin/curl https://google.com”’:

     

One thought on “Segfaults in libfreeblpriv3.so after upgrading to RHEL/CentOS 6.8

  1. Eugene

    Curl was working fine for me, but some website components were not, with apache throwing child pid xxxx exit signal Illegal instruction (4)
    Your fix worked.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *