Crashes with SIGSEGV due to undefined behaviour when calling perl_parse

Oops, looks like my gdb/valgrind output formatting got messed up. Should still be broadly readable

The attachment "Proposed patch fixing the issue" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Hello and thanks for all the debugging work here. I agree with your analysis, I think that we have a bug here and the fix you proposed LGTM. However despite my efforts I couldn't reproduce the segfault. I specifically tried with ubuntu-minimal:focal containers with just apache2 and libapache2-mod-perl2 installed, enabled the perl module, stopped apache2 and re-started it manually like you did but to no avail, even after trying several times in different containers or environments.

I understand the very nature of the bug may make it difficult to reproduce, but a reproducer will make the whole process of including the fix and shipping it in existing Ubuntu stable releases both easier and more solid. Even "obvious fixes" carry a regression potential, which has to be weighted against the benefits of shipping the fix, and for some reason users hit the issue you described quite rarely. Can you think of a way to force the crash to happen, or at least make it much more probable?

Also it may be worth submitting your patch upstream. Upstreamed patches are always a win-win: it's easier for downstream distributions to cherry-pick and later drop patches included upstream, package maintenance is easier, the patch gets broader testing and the wider ecosystems benefits from it. Would you consider submitting your patch to the Apache mod_perl project [1]?

I'm marking this bug report as Incomplete for the moment, which simply means that we're waiting for further comments/information.

[1] https://perl.apache.org/contribute/index.html

The crash is bizarre. I have plenty of other hosts that are making use of mod_perl with no issues at all. It can't be (directly) application specific, as it's crashing before it even gets to running any of the perl. If I uninstall mariadb (required for this application), it starts working again. If I reinstall mariadb, it keeps on working. If I recreate the container from scratch, it reliably starts segfaulting. When I fiddle with it some amount with debug packages and so on, it starts working again and I can't make it break again.

Such is undefined behaviour and invalid memory accesses, I suppose.

You might be able to try debug mod_perl + debug perl - perhaps that will reliably show up the invalid read error in valgrind?

And yes, I did look into submitting the patch upstream but frankly the email system and everything else scared me off. The project doesn't look particularly active either. However, I'll look a bit deeper to see what I can I can do.

Success!

https://svn.apache.org/viewvc?view=revision&revision=1886793

Consider this a backport request :)

This bug was fixed in the package libapache2-mod-perl2 - 2.0.11-4

---------------
libapache2-mod-perl2 (2.0.11-4) unstable; urgency=medium

  * Add a patch from upstream SVN to fix a SIGSEGV crash due to wrong use
    of perl_parse(). (LP: #1915959)
  * Update years of packaging copyright.

 -- gregor herrmann <email address hidden> Mon, 22 Feb 2021 19:00:30 +0100

Thank you. Is there anything that needs to be done/can be done to get this backported to focal?

On Fri, 26 Feb 2021 10:00:44 -0000, lordaro wrote:

> Thank you. Is there anything that needs to be done/can be done to get
> this backported to focal?

Probably, but I'm not familiar with Ubuntu processes (I uploaded the
fix to Debian/unstable from where it migrated to Ubuntu/hirsute).

Maybe https://wiki.ubuntu.com/StableReleaseUpdates has the answer, or
someone else will chime in here.

Cheers,
gregor, Debian Perl Group

--
 .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `- NP: Mark Knopfler: Wanderlust

Yes, this can be backported to Focal. It will need somebody affected to commit to doing the necessary QA after the update is prepared (without that QA, we won't be able to land the update).

The process is documented at https://wiki.ubuntu.com/StableReleaseUpdates#Procedure as gregor correctly pointed out. I'll add this task to the server team's backlog. If you'd like to do it sooner, you are welcome to prepare the update yourself following the documented process.

The commit that needs to be cherry-picked is here: https://salsa.debian.org/perl-team/modules/packages/libapache2-mod-perl2/-/commit/ad28961ec0e3ac3e450eb47c53c6d8cc114fb17d

Not to nag or anything, but any sort of timescale on this? I'd happily help out, but having read through the process I'm not actually sure what needs doing...

Hi Charles,

I am almost done preparing an update. This should land very soon! I'll keep you updated here.

Hello lordaro, or anyone else affected,

Accepted libapache2-mod-perl2 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libapache2-mod-perl2/2.0.11-2ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Thanks very much!

2.0.11-2ubuntu0.20.04.1 fixes the bug for me.

Awesome, thanks, Charles.

This bug was fixed in the package libapache2-mod-perl2 - 2.0.11-2ubuntu0.20.04.1

---------------
libapache2-mod-perl2 (2.0.11-2ubuntu0.20.04.1) focal; urgency=medium

  * Fix a SIGSEGV crash. (LP: #1915959)
    - d/p/Fix_SIGSEGV_perl_parse.patch: Add a patch from upstream
      SVN to fix a SIGSEGV crash due to wrong use of perl_parse().
      + Thanks, Charles Pigott, for the patch.

 -- Utkarsh Gupta <email address hidden> Fri, 19 Mar 2021 19:00:24 +0530

The verification of the Stable Release Update for libapache2-mod-perl2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.