Ubuntu
apache2 package

Invalid memory access on ap_server_config_defines

Bug #1504354 reported by Jeffrey Hutzelman on 2015-10-09

This bug affects 1 person

	Status	Importance	Assigned to
Apache2 Web Server	Fix Released	Critical	auto-bz.apache.org #57328
apache2 (Ubuntu)	Fix Released	Undecided	Unassigned
Trusty	Fix Released	Medium	Unassigned

Bug Description

A bug in the Apache2 HTTP server results in invalid memory references
in the ap_server_config_defines array after a graceful restart. This
can result in server config variables defined by means of the Define
directive appearing to be undefined after a graceful restart. This
can cause incorrect processing of configuration files. It can also
cause the server to exit due to invalid configuration, even though
the configtest prior to reload succeeded.

This bug was reported upstream against Apache 2.4.6 and 2.4.10. It
appears in the 2.4.7-1ubuntu4.7 found in trusty-proposed, but was
fixed in 2.4.12 and so does not appear in wily.

This is upstream PR 56008 and 57328.

[Test Case]
- apt-get install apache2
- Copy ifdefine-test.conf (attached) to /etc/apache2/sites-available
- a2ensite ifdefine-test.conf
- service apache2 restart
- Observe that http://<hostname>/foo.html returns the default page
(same as http://<hostname>/)

- service apache2 reload
- Examine /var/log/apache2/error.log; observe the warning message
"Config variable ${TEST2} is not defined"
- Observe that http://<hostname>/foo.html now returns a 404.

With the bug fixed, the warning message will not appear, and the
foo.html URL will continue to work after the reload.

[Regression Potential]
Low.

The change is textually small (one line), but has a significant effect:
it ensures that a fresh copy is made of the array containing defined
variables each time the config file is read. Without this, on reloads
the original array (containing variables defined on the command line)
is modified directly, causing it to contain string pointers that will
become invalid when the configuration memory pool is released.

The patch only changes what happens when the configuration pool is
released, avoiding leaking memory references across successive reads
of the config file. As such, it is unlikely have any negative effect
on processing of the configuration, and extremely unlikely to have any
effect on operations once the server configuration has been read.

This change was applied upstream in December, 2014 and appears in the
upstream 2.4.12 release, which is in wily. The patch also appears in
2.4.10-10+deb8u2, which has been in Debian stable for about 5 weeks.

Tags:

Revision history for this message

In bz.apache.org/bugzilla/ #57328, A-abfalterer (a-abfalterer) wrote on 2014-12-08:

Created attachment 32268
Patch to dump elements of ap_server_config_defines after a graceful restart, includes also fix for the problem

== Reproduction ==

1) Find attached a patch for server/core.c that dumps the elements of ap_server_config_defines after a graceful restart.

2) Define some variables in httpd.conf, e.g.

Define arg1=val1
Define arg2=val2
Define arg3=val4

3) By doing some graceful restarts (5-10 times), the increasing number of array elements with invalid memory references can be observerd. The problem can be reproduced each time.

== Explanation ==

After a graceful restart, the reset_config_defines() function in server/core.c resets ap_server_config_defines back to its original pointer saved_server_config_defines. Henceforth, variable definitions (by means of Define) are stored in the original array, and thus, leading to invalid memory access upon next graceful restarts.

== Solution ==
A fix to the problem can be found in the provided patch file and be enabled by setting the macro constant WITH_FIX to 1.

Regards, Armin

Revision history for this message

In bz.apache.org/bugzilla/ #57328, Ylavic-dev (ylavic-dev) wrote on 2014-12-08:

Committed in r1643825.

I first misread your patch and started working on a much more complicated one, until I realized yours was the minimal/only change needed.

Thanks for the analysis and patch Armin, will propose it for 2.4.x.

Revision history for this message

In bz.apache.org/bugzilla/ #57328, Ylavic-dev (ylavic-dev) wrote on 2014-12-08:

*** Bug 56008 has been marked as a duplicate of this bug. ***

Revision history for this message

In bz.apache.org/bugzilla/ #57328, Ylavic-dev (ylavic-dev) wrote on 2015-01-23:

Backported to 2.4.11 (unreleased) in r1651083, available in upcoming 2.4.12.

Revision history for this message

Jeffrey Hutzelman (jhutz) wrote on 2015-10-09:

debdiff containing the upstream patch Edit (2.3 KiB, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-10-09:

The attachment "debdiff containing the upstream patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Bug Watch Updater (bug-watch-updater) on 2015-10-09

Changed in apache2:
importance:	Unknown → Critical
status:	Unknown → Fix Released

Robie Basak (racb) on 2015-10-13

Changed in apache2 (Ubuntu):
status:	New → Fix Released
Changed in apache2 (Ubuntu Trusty):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Robie Basak (racb) wrote on 2015-10-13:

Jeffrey,

Thank you for working on this.

The debdiff looks good but will need to wait until the SRU in bug 1445914 has cleared before it can be uploaded. Can I suggest though that the message in debian/changelog be made more appropriate for Ubuntu users and developers, rather than a blanket copy from upstream's commit log which I don't think makes much sense to outsiders? It should also contain a reference to this bug.

For example:

Fix -D[efined] or <Define>[d] variables lifetime across restarts. This fixes incorrect processing of configuration files on reload (LP: #1504354).

If you let me know that you're happy with that text then I can just change it when I upload - no need for you to submit another debdiff.

Revision history for this message

Jeffrey Hutzelman (jhutz) wrote on 2015-10-13: Re: [Bug 1504354] Re: Invalid memory access on ap_server_config_defines

On Tue, 2015-10-13 at 11:00 +0000, Robie Basak wrote:

> Fix -D[efined] or <Define>[d] variables lifetime across restarts. This
> fixes incorrect processing of configuration files on reload (LP:
> #1504354).
>
> If you let me know that you're happy with that text then I can just
> change it when I upload - no need for you to submit another debdiff.

That sounds fine; thanks.

Revision history for this message

Robie Basak (racb) wrote on 2015-10-14:

Uploaded; now awaiting SRU team review.

Changed in apache2 (Ubuntu Trusty):
status:	Triaged → In Progress

Revision history for this message

Chris J Arges (arges) wrote on 2015-10-14: Please test proposed package

#10

Hello Jeffrey, or anyone else affected,

Accepted apache2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apache2 (Ubuntu Trusty):
status:	In Progress → Fix Committed
tags:	added: verification-needed

Revision history for this message

Jeffrey Hutzelman (jhutz) wrote on 2015-10-16:

#11

Configuration fragment for test case Edit (112 bytes, text/plain)

I apparently forogt to actually attach the config fragment that reproduces the problem.

Revision history for this message

Jeffrey Hutzelman (jhutz) wrote on 2015-10-16:

#12

apache 2 2.4.7-1ubuntu4.8 (in trusty-proposed) both passes the test case and fixes my original problem.

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-10-21:

#13

This bug was fixed in the package apache2 - 2.4.7-1ubuntu4.8

---------------
apache2 (2.4.7-1ubuntu4.8) trusty; urgency=medium

  * Fix -D[efined] or <Define>[d] variables lifetime across restarts.
    This fixes incorrect processing of configuration files on reload
    (LP: #1504354).

-- Jeffrey Hutzelman <email address hidden> Thu, 08 Oct 2015 19:30:10 -0400

Changed in apache2 (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Revision history for this message

Chris J Arges (arges) wrote on 2015-10-21: Update Released

#14

The verification of the Stable Release Update for apache2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.