Mailing List Archive

Fix for Segfault with Apache and mod_perl
Hi mod_perl team,

I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:

https://bz.apache.org/bugzilla/show_bug.cgi?id=63516

My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:

Index: src/modules/perl/mod_perl.c
--- src/modules/perl/mod_perl.c.orig
+++ src/modules/perl/mod_perl.c
@@ -861,7 +861,7 @@

/* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
*(char **)apr_array_push(ap_server_config_defines) =
- apr_pstrdup(p, "MODPERL2");
+ apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");

ap_hook_pre_config(modperl_hook_pre_config,
NULL, NULL, APR_HOOK_MIDDLE);

Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.

As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.

Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.

I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.

Thanks!

Sam


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: Fix for Segfault with Apache and mod_perl [ In reply to ]
Looks good to me

Sent from the depths of my mind on an iPhone

> On Jun 19, 2019, at 17:22, Sam Vaughan <samjvaughan@gmail.com> wrote:
>
> Hi mod_perl team,
>
> I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
>
> My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:
>
> Index: src/modules/perl/mod_perl.c
> --- src/modules/perl/mod_perl.c.orig
> +++ src/modules/perl/mod_perl.c
> @@ -861,7 +861,7 @@
>
> /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
> *(char **)apr_array_push(ap_server_config_defines) =
> - apr_pstrdup(p, "MODPERL2");
> + apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
>
> ap_hook_pre_config(modperl_hook_pre_config,
> NULL, NULL, APR_HOOK_MIDDLE);
>
> Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.
>
> As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.
>
> Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.
>
> I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.
>
> Thanks!
>
> Sam
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> For additional commands, e-mail: dev-help@perl.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: Fix for Segfault with Apache and mod_perl [ In reply to ]
Looks fine to me too. Will give it a test...

On Thu, 20 Jun 2019 at 01:28, Philippe Chiasson <gozer@ectoplasm.org> wrote:
>
> Looks good to me
>
> Sent from the depths of my mind on an iPhone
>
> > On Jun 19, 2019, at 17:22, Sam Vaughan <samjvaughan@gmail.com> wrote:
> >
> > Hi mod_perl team,
> >
> > I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:
> >
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
> >
> > My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:
> >
> > Index: src/modules/perl/mod_perl.c
> > --- src/modules/perl/mod_perl.c.orig
> > +++ src/modules/perl/mod_perl.c
> > @@ -861,7 +861,7 @@
> >
> > /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
> > *(char **)apr_array_push(ap_server_config_defines) =
> > - apr_pstrdup(p, "MODPERL2");
> > + apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
> >
> > ap_hook_pre_config(modperl_hook_pre_config,
> > NULL, NULL, APR_HOOK_MIDDLE);
> >
> > Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.
> >
> > As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.
> >
> > Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.
> >
> > I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.
> >
> > Thanks!
> >
> > Sam
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> > For additional commands, e-mail: dev-help@perl.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> For additional commands, e-mail: dev-help@perl.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: Fix for Segfault with Apache and mod_perl [ In reply to ]
Thanks for the report, Sam (and to Joe for the fix). This is now
committed to mod_perl trunk:
http://svn.apache.org/viewvc?view=revision&revision=1861755

On Thu, 20 Jun 2019 at 09:07, Steve Hay <steve.m.hay@googlemail.com> wrote:
>
> Looks fine to me too. Will give it a test...
>
> On Thu, 20 Jun 2019 at 01:28, Philippe Chiasson <gozer@ectoplasm.org> wrote:
> >
> > Looks good to me
> >
> > Sent from the depths of my mind on an iPhone
> >
> > > On Jun 19, 2019, at 17:22, Sam Vaughan <samjvaughan@gmail.com> wrote:
> > >
> > > Hi mod_perl team,
> > >
> > > I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:
> > >
> > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
> > >
> > > My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:
> > >
> > > Index: src/modules/perl/mod_perl.c
> > > --- src/modules/perl/mod_perl.c.orig
> > > +++ src/modules/perl/mod_perl.c
> > > @@ -861,7 +861,7 @@
> > >
> > > /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
> > > *(char **)apr_array_push(ap_server_config_defines) =
> > > - apr_pstrdup(p, "MODPERL2");
> > > + apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
> > >
> > > ap_hook_pre_config(modperl_hook_pre_config,
> > > NULL, NULL, APR_HOOK_MIDDLE);
> > >
> > > Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.
> > >
> > > As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.
> > >
> > > Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.
> > >
> > > I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.
> > >
> > > Thanks!
> > >
> > > Sam
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> > > For additional commands, e-mail: dev-help@perl.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> > For additional commands, e-mail: dev-help@perl.apache.org
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: Fix for Segfault with Apache and mod_perl [ In reply to ]
That's great thanks Steve, much appreciated!

Will there be a 2.0.11 release with this fix?

Cheers,

Sam

> On 21 Jun 2019, at 5:38 pm, Steve Hay <steve.m.hay@googlemail.com> wrote:
>
> Thanks for the report, Sam (and to Joe for the fix). This is now
> committed to mod_perl trunk:
> http://svn.apache.org/viewvc?view=revision&revision=1861755
>
> On Thu, 20 Jun 2019 at 09:07, Steve Hay <steve.m.hay@googlemail.com> wrote:
>>
>> Looks fine to me too. Will give it a test...
>>
>> On Thu, 20 Jun 2019 at 01:28, Philippe Chiasson <gozer@ectoplasm.org> wrote:
>>>
>>> Looks good to me
>>>
>>> Sent from the depths of my mind on an iPhone
>>>
>>>> On Jun 19, 2019, at 17:22, Sam Vaughan <samjvaughan@gmail.com> wrote:
>>>>
>>>> Hi mod_perl team,
>>>>
>>>> I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:
>>>>
>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
>>>>
>>>> My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:
>>>>
>>>> Index: src/modules/perl/mod_perl.c
>>>> --- src/modules/perl/mod_perl.c.orig
>>>> +++ src/modules/perl/mod_perl.c
>>>> @@ -861,7 +861,7 @@
>>>>
>>>> /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
>>>> *(char **)apr_array_push(ap_server_config_defines) =
>>>> - apr_pstrdup(p, "MODPERL2");
>>>> + apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
>>>>
>>>> ap_hook_pre_config(modperl_hook_pre_config,
>>>> NULL, NULL, APR_HOOK_MIDDLE);
>>>>
>>>> Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.
>>>>
>>>> As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.
>>>>
>>>> Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.
>>>>
>>>> I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.
>>>>
>>>> Thanks!
>>>>
>>>> Sam
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
>>>> For additional commands, e-mail: dev-help@perl.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
>>> For additional commands, e-mail: dev-help@perl.apache.org
>>>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: Fix for Segfault with Apache and mod_perl [ In reply to ]
Yes, I'd like to do a 2.0.11 soon: We have a few bug fixes committed
since 2.0.10 and this crash fix seems like a good time to make a new
release.
I'll try to get the wheels in motion for an RC1 :-)

On Fri, 21 Jun 2019 at 08:56, Sam Vaughan <samjvaughan@gmail.com> wrote:
>
> That's great thanks Steve, much appreciated!
>
> Will there be a 2.0.11 release with this fix?
>
> Cheers,
>
> Sam
>
> > On 21 Jun 2019, at 5:38 pm, Steve Hay <steve.m.hay@googlemail.com> wrote:
> >
> > Thanks for the report, Sam (and to Joe for the fix). This is now
> > committed to mod_perl trunk:
> > http://svn.apache.org/viewvc?view=revision&revision=1861755
> >
> > On Thu, 20 Jun 2019 at 09:07, Steve Hay <steve.m.hay@googlemail.com> wrote:
> >>
> >> Looks fine to me too. Will give it a test...
> >>
> >> On Thu, 20 Jun 2019 at 01:28, Philippe Chiasson <gozer@ectoplasm.org> wrote:
> >>>
> >>> Looks good to me
> >>>
> >>> Sent from the depths of my mind on an iPhone
> >>>
> >>>> On Jun 19, 2019, at 17:22, Sam Vaughan <samjvaughan@gmail.com> wrote:
> >>>>
> >>>> Hi mod_perl team,
> >>>>
> >>>> I reported a bug yesterday to the Apache team, describing a segfault that only happens if mod_perl is installed:
> >>>>
> >>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
> >>>>
> >>>> My impression was that it should be fixed in httpd2, but mod_perl is the only module that adds a configuration flag to the global ap_server_config_defines array, so it has been suggested that a one-line change go into the modperl_register_hooks() function instead:
> >>>>
> >>>> Index: src/modules/perl/mod_perl.c
> >>>> --- src/modules/perl/mod_perl.c.orig
> >>>> +++ src/modules/perl/mod_perl.c
> >>>> @@ -861,7 +861,7 @@
> >>>>
> >>>> /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
> >>>> *(char **)apr_array_push(ap_server_config_defines) =
> >>>> - apr_pstrdup(p, "MODPERL2");
> >>>> + apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
> >>>>
> >>>> ap_hook_pre_config(modperl_hook_pre_config,
> >>>> NULL, NULL, APR_HOOK_MIDDLE);
> >>>>
> >>>> Essentially, the pool provided as an argument to this function doesn't have a long enough lifetime to safely be used as backing storage for the "MODPERL2" string. This change uses the pool that the ap_server_config_defines array itself was created in, thereby giving the "MODPERL2" string the same lifetime as the array it is being added to.
> >>>>
> >>>> As far as I can tell, this use-after-free bug has been sitting there for quite a few years now but Apache only segfaults if your OS is strict enough about reclaiming/unmapping freed memory.
> >>>>
> >>>> Currently, this issue causes httpd2 to segfault during startup the majority of the time on OpenBSD 6.5.
> >>>>
> >>>> I'd really appreciate it if someone could either confirm that the above patch is OK and apply it to mod_perl, or jump on the above Apache bug report and add a comment explaining why it isn't.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> Sam
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> >>>> For additional commands, e-mail: dev-help@perl.apache.org
> >>>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> >>> For additional commands, e-mail: dev-help@perl.apache.org
> >>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> For additional commands, e-mail: dev-help@perl.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org