Crashes with SIGSEGV due to undefined behaviour when calling perl_parse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache2-mod-perl2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Utkarsh Gupta |
Bug Description
[Impact]
========
While setting up a perl web application with mod_perl & apache, apache keeps segfaulting.
Broke out gdb, and found that it was segfaulting within perl itself
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7358ff5 in perl_parse () from /lib/x86_
(gdb) bt
#0 0x00007ffff7358ff5 in perl_parse () from /lib/x86_
#1 0x00007ffff764cd0c in modperl_startup () from /usr/lib/
#2 0x00007ffff764cc97 in modperl_startup () from /usr/lib/
#3 0x00007ffff764d0fa in modperl_init () from /usr/lib/
#4 0x00007ffff764d27b in modperl_hook_init () from /usr/lib/
#5 0x00005555555b23d4 in ap_run_open_logs ()
#6 0x000055555558c440 in main ()
# valgrind apache2 -k start -X
==22529== Memcheck, a memory error detector
==22529== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22529== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==22529== Command: apache2 -k start -X
==22529==
==22529== Invalid read of size 8
==22529== at 0x564AFF5: perl_parse (in /usr/lib/
==22529== by 0x55A8D0B: modperl_startup (in /usr/lib/
==22529== by 0x55A8C96: modperl_startup (in /usr/lib/
==22529== by 0x55A90F9: modperl_init (in /usr/lib/
==22529== by 0x55A927A: modperl_hook_init (in /usr/lib/
==22529== by 0x1663D3: ap_run_open_logs (in /usr/sbin/apache2)
==22529== by 0x14043F: main (in /usr/sbin/apache2)
==22529== Address 0x5a44000 is not stack'd, malloc'd or (recently) free'd
==22529==
==22529==
==22529== Process terminating with default action of signal 11 (SIGSEGV)
==22529== Access not within mapped region at address 0x5A44000
==22529== at 0x564AFF5: perl_parse (in /usr/lib/
==22529== by 0x55A8D0B: modperl_startup (in /usr/lib/
==22529== by 0x55A8C96: modperl_startup (in /usr/lib/
==22529== by 0x55A90F9: modperl_init (in /usr/lib/
==22529== by 0x55A927A: modperl_hook_init (in /usr/lib/
==22529== by 0x1663D3: ap_run_open_logs (in /usr/sbin/apache2)
==22529== by 0x14043F: main (in /usr/sbin/apache2)
gdb indicated that it was erroring in very early in perl's runtime, before it had got to any perl code. When using debug symbols, the exact line it was failing on was `scriptname = argv[0];` (perl.c:2365) It wasn't possible to reason beyond that as stepping through optimised code even with debug symbols is next to impossible to make any sense of.
I did find that building an unoptimised perl made the error go away.
I found the following closed issue: https:/
Looking at the source for mod_perl, I found that the argv array passed to perl_parse() is not NULL terminated as is required by perl - ( documentation: https:/
After patching this, the problem went away and didn't come back. Patch is attached.
[Test Plan]
===========
# ls
libapache2-
# dpkg -i libapache2-
(Reading database ... 33224 files and directories currently installed.)
Preparing to unpack libapache2-
Unpacking libapache2-
Setting up libapache2-
apache2_invoke perl: already enabled
# source /etc/apache2/
# apache2 -k start -X
Segmentation fault (core dumped)
# dpkg -i libapache2-
(Reading database ... 33224 files and directories currently installed.)
Preparing to unpack libapache2-
Unpacking libapache2-
Setting up libapache2-
apache2_invoke perl: already enabled
# apache2 -k start -X
<success>^C
# dpkg -i libapache2-
(Reading database ... 33224 files and directories currently installed.)
Preparing to unpack libapache2-
Unpacking libapache2-
Setting up libapache2-
apache2_invoke perl: already enabled
# apache2 -k start -X
Segmentation fault (core dumped)
So after the SRU is performed, apache should no longer segfault.
[Where problems could occur]
=======
The argument parsing code is being changed (taking in NULL terminator now), so edge case failures are likely to be in that area. Should be trivial to handle, though.
Related branches
- Bryce Harrington (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 61 lines (+39/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/Fix_SIGSEGV_perl_parse.patch (+29/-0)
debian/patches/series (+1/-0)
description: | updated |
description: | updated |
description: | updated |
Changed in libapache2-mod-perl2 (Ubuntu Focal): | |
status: | Triaged → Fix Committed |
Oops, looks like my gdb/valgrind output formatting got messed up. Should still be broadly readable