We recently upgraded to mod_perl 2.0.11 and I found this bug was still
in there. My original report had been send to modperl@perl.apache.org
and maybe it fell in the bit bucket. I am resending this to the
mod_perl users mailing list per the instructions at
https://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems
. We're running Apache 2.4 on Centos.
- - -
Greetings. I have a hard time believing that I have found a bug in
this, but the evidence is difficult to deny.
We have customized mod_perl to patch post_config() in PerlSections.pm so
that it writes out the directives to a file, because we use a dynamic
configuration that mod_perl runs using database queries. This patch
lets us see the actual configuration Apache was given.
We started getting nonsensical syntax errors during apachectl -t and
narrowed this down to when a ServerAlias line exceeded a certain
length. The config file as written out was correct so eventually I
instrumented svav_getstr to write out the strings it was returning to
ap_build_config(). I got it to write out the bufsiz and buf. Extract:
bufsiz = 207, buf = ServerAlias new new.jpl.nasa.gov lug
lug.jpl.nasa.gov uavsarwiki uavsarwiki.jpl.nasa.gov m2020mobility
m2020mobility.jpl.nasa.gov sec274 sec274.jpl.nasa.gov dhac
dhac.jpl.nasa.gov mediawiki mediawiki.jpl.na
bufsiz = 209, buf = <Directory /websites/redirectinternal/www>
Shortly after this Apache complained about seeing </Directory> when it
was expecting </VirtualHost>. You can see that the bufsiz passed is only
207, and the ServerAlias line is truncated (there was another 100+
bytes). I assumed that it was concatenating the <Directory> line onto
it so that it never saw the <Directory> opening directive.
I fixed this by patching svav_getstr to recognize whether SvPVX(sv) was
longer than bufsiz and saving the remainder for the next call. That code
is so horrible that the only reason I am attaching it is in the hope
that it motivates someone to create a proper patch so that no one sees
my message as the final word on this subject in this thread. It has
however fixed our problem without (yet) introducing any others.
Why Apache calls this with such silly small buffer sizes is beyond me,
but it seems to be coming from VARBUF_INIT_LEN being set to 200 in
server/config.c. It seems to grow the buffer size only when it thinks
it needs to.
So the bottom line is that svav_getstr does not deal with the
possibility of a line being longer than bufsiz, and it is in practice
called with bufsiz being a tiny number. It needs to be able to save the
rest of a long line to return on the next call.
-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:
[DESCRIBE THE PROBLEM HERE]
2. Used Components and their Configuration:
*** mod_perl version 2.000010
*** using /tmp/mod_perl/mod_perl-2.0.10/lib/Apache2/BuildConfig.pm
*** Makefile.PL options:
MP_APR_LIB => aprext
MP_APXS => /bin/apxs
MP_COMPAT_1X => 1
MP_GENERATE_XS => 1
MP_LIBNAME => mod_perl
MP_USE_DSO => 1
*** The httpd binary was not found
*** (apr|apu)-config linking info
-L/usr/lib64 -laprutil-1 -lldap_r -llber -ldb-5.3 -lexpat -ldb-5.3
-lapr-1 -lpthread -ldl
*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration:
Platform:
osname=linux, osvers=3.10.0-514.16.1.el7.x86_64,
archname=x86_64-linux-thread-multi
uname='linux c1bm.rdu2.centos.org 3.10.0-514.16.1.el7.x86_64 #1 smp
wed apr 12 15:04:24 utc 2017 x86_64 x86_64 x86_64 gnulinux '
config_args='-des -Doptimize=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Wl,-z,relro -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost
-Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr
-Dvendorprefix=/usr -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5
-Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl
-Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl
-Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64
/usr/lib64 -Duseshrplib -Dusethreads -Duseithreads
-Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db
-Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio
-Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly
-Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto
-Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto
-Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin
-Dusesitecustomize'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-m64 -mtune=generic',
cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe
-fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-16)',
gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='gcc', ldflags =' -fstack-protector'
libpth=/usr/local/lib64 /lib64 /usr/lib64
libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread
-lc -lgdbm_compat
perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
libc=, so=so, useshrplib=true, libperl=libperl.so
gnulibc_version='2.17'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef,
ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Wl,-z,relro '
Characteristics of this binary (from libperl):
Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT
PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL
USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
USE_REENTRANT_API USE_SITECUSTOMIZE
Locally applied patches:
Fedora Patch1: Removes date check, Fedora/RHEL specific
Fedora Patch3: support for libdir64
Fedora Patch4: use libresolv instead of libbind
Fedora Patch5: USE_MM_LD_RUN_PATH
Fedora Patch6: Skip hostname tests, due to builders not being
network capable
Fedora Patch7: Dont run one io test due to random builder failures
Fedora Patch9: Fix find2perl to translate ? glob properly
(RT#113054)
Fedora Patch10: Fix broken atof (RT#109318)
Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)
Fedora Patch14: Do not truncate syscall() return value to 32
bits (RT#113980)
Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)
Fedora Patch16: Do not leak with attribute on my variable
(RT#114764)
Fedora Patch17: Allow operator after numeric keyword argument
(RT#105924)
Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)
Fedora Patch19: Do not crash when vivifying $|
Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)
Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)
Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]
Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]
Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]
Fedora Patch25: Fix dead lock in PerlIO after fork from thread
(RT#106212)
Fedora Patch26: Make regexp safe in a signal handler (RT#114878)
Fedora Patch27: Update h2ph(1) documentation (RT#117647)
Fedora Patch28: Update pod2html(1) documentation (RT#117623)
Fedora Patch29: Document Math::BigInt::CalcEmu requires
Math::BigInt (CPAN RT#85015)
RHEL Patch30: Use stronger algorithm needed for FIPS in
t/op/crypt.t (RT#121591)
RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912)
RHEL Patch32: Use stronger algorithm needed for FIPS in
t/op/taint.t (RT#123338)
RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test
RHEL Patch34: Make File::Glob work with threads again
RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN
RT#41642)
RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN
RT#123786)
RHEL Patch37: Fix duplicating PerlIO::encoding when spawning
threads (RT#31923)
Built under linux
Compiled at Aug 2 2017 17:45:03
%ENV:
PERL_LWP_USE_HTTP_10="1"
@INC:
/usr/local/lib64/perl5
/usr/local/share/perl5
/usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl
/usr/lib64/perl5
/usr/share/perl5
.
*** Packages of interest status:
Apache2 : -
Apache2::Request : -
CGI : -
ExtUtils::MakeMaker: 6.68
LWP : -
mod_perl : -
mod_perl2 : 2.000010
3. This is the core dump trace: (if you get a core dump):
[CORE TRACE COMES HERE]
This report was generated by t/REPORT on Thu May 24 21:06:51 2018 GMT.
-------------8<---------- End Bug Report --------------8<----------
Note: Complete the rest of the details and post this bug report to
modperl <at> perl.apache.org. To subscribe to the list send an empty
email to modperl-subscribe@perl.apache.org.
in there. My original report had been send to modperl@perl.apache.org
and maybe it fell in the bit bucket. I am resending this to the
mod_perl users mailing list per the instructions at
https://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems
. We're running Apache 2.4 on Centos.
- - -
Greetings. I have a hard time believing that I have found a bug in
this, but the evidence is difficult to deny.
We have customized mod_perl to patch post_config() in PerlSections.pm so
that it writes out the directives to a file, because we use a dynamic
configuration that mod_perl runs using database queries. This patch
lets us see the actual configuration Apache was given.
We started getting nonsensical syntax errors during apachectl -t and
narrowed this down to when a ServerAlias line exceeded a certain
length. The config file as written out was correct so eventually I
instrumented svav_getstr to write out the strings it was returning to
ap_build_config(). I got it to write out the bufsiz and buf. Extract:
bufsiz = 207, buf = ServerAlias new new.jpl.nasa.gov lug
lug.jpl.nasa.gov uavsarwiki uavsarwiki.jpl.nasa.gov m2020mobility
m2020mobility.jpl.nasa.gov sec274 sec274.jpl.nasa.gov dhac
dhac.jpl.nasa.gov mediawiki mediawiki.jpl.na
bufsiz = 209, buf = <Directory /websites/redirectinternal/www>
Shortly after this Apache complained about seeing </Directory> when it
was expecting </VirtualHost>. You can see that the bufsiz passed is only
207, and the ServerAlias line is truncated (there was another 100+
bytes). I assumed that it was concatenating the <Directory> line onto
it so that it never saw the <Directory> opening directive.
I fixed this by patching svav_getstr to recognize whether SvPVX(sv) was
longer than bufsiz and saving the remainder for the next call. That code
is so horrible that the only reason I am attaching it is in the hope
that it motivates someone to create a proper patch so that no one sees
my message as the final word on this subject in this thread. It has
however fixed our problem without (yet) introducing any others.
Why Apache calls this with such silly small buffer sizes is beyond me,
but it seems to be coming from VARBUF_INIT_LEN being set to 200 in
server/config.c. It seems to grow the buffer size only when it thinks
it needs to.
So the bottom line is that svav_getstr does not deal with the
possibility of a line being longer than bufsiz, and it is in practice
called with bufsiz being a tiny number. It needs to be able to save the
rest of a long line to return on the next call.
-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:
[DESCRIBE THE PROBLEM HERE]
2. Used Components and their Configuration:
*** mod_perl version 2.000010
*** using /tmp/mod_perl/mod_perl-2.0.10/lib/Apache2/BuildConfig.pm
*** Makefile.PL options:
MP_APR_LIB => aprext
MP_APXS => /bin/apxs
MP_COMPAT_1X => 1
MP_GENERATE_XS => 1
MP_LIBNAME => mod_perl
MP_USE_DSO => 1
*** The httpd binary was not found
*** (apr|apu)-config linking info
-L/usr/lib64 -laprutil-1 -lldap_r -llber -ldb-5.3 -lexpat -ldb-5.3
-lapr-1 -lpthread -ldl
*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration:
Platform:
osname=linux, osvers=3.10.0-514.16.1.el7.x86_64,
archname=x86_64-linux-thread-multi
uname='linux c1bm.rdu2.centos.org 3.10.0-514.16.1.el7.x86_64 #1 smp
wed apr 12 15:04:24 utc 2017 x86_64 x86_64 x86_64 gnulinux '
config_args='-des -Doptimize=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Wl,-z,relro -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost
-Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr
-Dvendorprefix=/usr -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5
-Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl
-Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl
-Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64
/usr/lib64 -Duseshrplib -Dusethreads -Duseithreads
-Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db
-Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio
-Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly
-Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto
-Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto
-Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin
-Dusesitecustomize'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-m64 -mtune=generic',
cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe
-fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-16)',
gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='gcc', ldflags =' -fstack-protector'
libpth=/usr/local/lib64 /lib64 /usr/lib64
libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread
-lc -lgdbm_compat
perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
libc=, so=so, useshrplib=true, libperl=libperl.so
gnulibc_version='2.17'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef,
ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
-Wl,-z,relro '
Characteristics of this binary (from libperl):
Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT
PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL
USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
USE_REENTRANT_API USE_SITECUSTOMIZE
Locally applied patches:
Fedora Patch1: Removes date check, Fedora/RHEL specific
Fedora Patch3: support for libdir64
Fedora Patch4: use libresolv instead of libbind
Fedora Patch5: USE_MM_LD_RUN_PATH
Fedora Patch6: Skip hostname tests, due to builders not being
network capable
Fedora Patch7: Dont run one io test due to random builder failures
Fedora Patch9: Fix find2perl to translate ? glob properly
(RT#113054)
Fedora Patch10: Fix broken atof (RT#109318)
Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)
Fedora Patch14: Do not truncate syscall() return value to 32
bits (RT#113980)
Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)
Fedora Patch16: Do not leak with attribute on my variable
(RT#114764)
Fedora Patch17: Allow operator after numeric keyword argument
(RT#105924)
Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)
Fedora Patch19: Do not crash when vivifying $|
Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)
Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)
Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]
Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]
Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]
Fedora Patch25: Fix dead lock in PerlIO after fork from thread
(RT#106212)
Fedora Patch26: Make regexp safe in a signal handler (RT#114878)
Fedora Patch27: Update h2ph(1) documentation (RT#117647)
Fedora Patch28: Update pod2html(1) documentation (RT#117623)
Fedora Patch29: Document Math::BigInt::CalcEmu requires
Math::BigInt (CPAN RT#85015)
RHEL Patch30: Use stronger algorithm needed for FIPS in
t/op/crypt.t (RT#121591)
RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912)
RHEL Patch32: Use stronger algorithm needed for FIPS in
t/op/taint.t (RT#123338)
RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test
RHEL Patch34: Make File::Glob work with threads again
RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN
RT#41642)
RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN
RT#123786)
RHEL Patch37: Fix duplicating PerlIO::encoding when spawning
threads (RT#31923)
Built under linux
Compiled at Aug 2 2017 17:45:03
%ENV:
PERL_LWP_USE_HTTP_10="1"
@INC:
/usr/local/lib64/perl5
/usr/local/share/perl5
/usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl
/usr/lib64/perl5
/usr/share/perl5
.
*** Packages of interest status:
Apache2 : -
Apache2::Request : -
CGI : -
ExtUtils::MakeMaker: 6.68
LWP : -
mod_perl : -
mod_perl2 : 2.000010
3. This is the core dump trace: (if you get a core dump):
[CORE TRACE COMES HERE]
This report was generated by t/REPORT on Thu May 24 21:06:51 2018 GMT.
-------------8<---------- End Bug Report --------------8<----------
Note: Complete the rest of the details and post this bug report to
modperl <at> perl.apache.org. To subscribe to the list send an empty
email to modperl-subscribe@perl.apache.org.