Activity log for bug #1752683

Date Who What changed Old value New value Message
2018-03-01 18:26:11 Rafael David Tinoco bug added bug
2018-03-01 18:26:18 Rafael David Tinoco apache2 (Ubuntu): status New In Progress
2018-03-01 18:26:20 Rafael David Tinoco apache2 (Ubuntu): assignee Rafael David Tinoco (inaddy)
2018-03-01 18:26:23 Rafael David Tinoco apache2 (Ubuntu): importance Undecided Medium
2018-03-01 18:27:10 Rafael David Tinoco tags sts
2018-03-01 18:44:18 Fabio Augusto Miranda Martins bug added subscriber Fabio Augusto Miranda Martins
2018-03-02 00:55:48 Rafael David Tinoco nominated for series Ubuntu Trusty
2018-03-02 00:55:48 Rafael David Tinoco nominated for series Ubuntu Xenial
2018-03-02 00:55:48 Rafael David Tinoco nominated for series Ubuntu Bionic
2018-03-02 00:55:48 Rafael David Tinoco nominated for series Ubuntu Artful
2018-03-02 01:05:14 Rafael David Tinoco bug watch added https://bz.apache.org/bugzilla/show_bug.cgi?id=58483
2018-03-02 01:05:14 Rafael David Tinoco bug watch added https://bz.apache.org/bugzilla/show_bug.cgi?id=60296
2018-03-02 01:05:14 Rafael David Tinoco bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814980
2018-03-02 02:18:35 Rafael David Tinoco bug task added apache2
2018-03-02 02:25:40 Rafael David Tinoco description Problem summary: apr_rmm_init acts as a relocatable memory management initialization it is used in: mod_auth_digest and util_ldap_cache From the dump was brought to my knowledge, in the following sequence: - util_ldap_compare_node_copy() - util_ald_strdup() - apr_rmm_calloc() - find_block_of_size() Had a "cache->rmm_addr" with no lock at "find_block_of_size()" cache->rmm_addr->lock { type = apr_anylock_none } And an invalid "next" offset (out of rmm->base->firstfree). This rmm_addr was initialized with NULL as a locking mechanism: From apr-utils: apr_rmm_init() if (!lock) { <-- 2nd argument to apr_rmm_init() nulllock.type = apr_anylock_none; <--- found in the dump nulllock.lock.pm = NULL; lock = &nulllock; } From apache: # mod_auth_digest sts = apr_rmm_init(&client_rmm, NULL, /* no lock, we'll do the locking ourselves */ apr_shm_baseaddr_get(client_shm), shmem_size, ctx); # util_ldap_cache result = apr_rmm_init(&st->cache_rmm, NULL, apr_shm_baseaddr_get(st->cache_shm), size, st->pool); It appears that the ldap module chose to use "rmm" for memory allocation, using the shared memory approach, but without explicitly definiting a lock to it. Without it, its up to the caller to guarantee that there are locks for rmm synchronization (just like mod_auth_digest does, using global mutexes). Because of that, there was a race condition in "find_block_of_size" and a call touching "rmm->base->firstfree", possibly "move_block()", in a multi-threaded apache environment, since there were no lock guarantees inside rmm logic (lock was "apr_anylock_none" and the locking calls don't do anything). In find_block_of_size: apr_rmm_off_t next = rmm->base->firstfree; We have: rmm->base->firstfree Decimal:356400 Hex:0x57030 But "next" turned into: Name : next Decimal:8320808657351632189 Hex:0x737973636970653d Causing: struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + next); if (blk->size == size) To segfault. Upstream bugs: https://bz.apache.org/bugzilla/show_bug.cgi?id=58483 https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814980#15 [Impact] * Apache users using ldap module might face this if using multiple threads and shared memory activated for apr memory allocator (default in Ubuntu). [Test Case] * Configure apache to use ldap module, for authentication e.g., and wait for the race condition to happen. * Analysis made out of a dump from a production environment. * Bug has been reported multiple times upstream in the past 10 years. [Regression Potential] * ldap module has broken locking mechanism when using apr mem mgmt. * ldap would continue to have broken locking mechanism. * race conditions could still exist. * could could brake ldap module. * patch is upstreamed in next version to be released. [Other Info] ORIGINAL CASE DESCRIPTION: Problem summary: apr_rmm_init acts as a relocatable memory management initialization it is used in: mod_auth_digest and util_ldap_cache From the dump was brought to my knowledge, in the following sequence: - util_ldap_compare_node_copy() - util_ald_strdup() - apr_rmm_calloc() - find_block_of_size() Had a "cache->rmm_addr" with no lock at "find_block_of_size()" cache->rmm_addr->lock { type = apr_anylock_none } And an invalid "next" offset (out of rmm->base->firstfree). This rmm_addr was initialized with NULL as a locking mechanism: From apr-utils: apr_rmm_init()     if (!lock) { <-- 2nd argument to apr_rmm_init()         nulllock.type = apr_anylock_none; <--- found in the dump         nulllock.lock.pm = NULL;         lock = &nulllock;     } From apache: # mod_auth_digest     sts = apr_rmm_init(&client_rmm,                        NULL, /* no lock, we'll do the locking ourselves */                        apr_shm_baseaddr_get(client_shm),                        shmem_size, ctx); # util_ldap_cache         result = apr_rmm_init(&st->cache_rmm, NULL,                               apr_shm_baseaddr_get(st->cache_shm), size,                               st->pool); It appears that the ldap module chose to use "rmm" for memory allocation, using the shared memory approach, but without explicitly definiting a lock to it. Without it, its up to the caller to guarantee that there are locks for rmm synchronization (just like mod_auth_digest does, using global mutexes). Because of that, there was a race condition in "find_block_of_size" and a call touching "rmm->base->firstfree", possibly "move_block()", in a multi-threaded apache environment, since there were no lock guarantees inside rmm logic (lock was "apr_anylock_none" and the locking calls don't do anything). In find_block_of_size:     apr_rmm_off_t next = rmm->base->firstfree; We have:     rmm->base->firstfree  Decimal:356400  Hex:0x57030 But "next" turned into: Name : next  Decimal:8320808657351632189  Hex:0x737973636970653d Causing:         struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + next);         if (blk->size == size) To segfault. Upstream bugs: https://bz.apache.org/bugzilla/show_bug.cgi?id=58483 https://bz.apache.org/bugzilla/show_bug.cgi?id=60296 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814980#15
2018-03-02 02:26:27 Rafael David Tinoco attachment added xenial_apache2_2.4.18-2ubuntu3.6.debdiff https://bugs.launchpad.net/apache2/+bug/1752683/+attachment/5066581/+files/xenial_apache2_2.4.18-2ubuntu3.6.debdiff
2018-03-02 02:27:04 Rafael David Tinoco attachment added trusty_apache2_2.4.7-1ubuntu4.19.debdiff https://bugs.launchpad.net/apache2/+bug/1752683/+attachment/5066582/+files/trusty_apache2_2.4.7-1ubuntu4.19.debdiff
2018-03-02 02:27:23 Rafael David Tinoco attachment added artful_apache2_2.4.27-2ubuntu4.debdiff https://bugs.launchpad.net/apache2/+bug/1752683/+attachment/5066583/+files/artful_apache2_2.4.27-2ubuntu4.debdiff
2018-03-02 02:27:43 Rafael David Tinoco attachment added bionic_apache2_2.4.29-1ubuntu4.debdiff https://bugs.launchpad.net/apache2/+bug/1752683/+attachment/5066584/+files/bionic_apache2_2.4.29-1ubuntu4.debdiff
2018-03-02 09:56:45 Bug Watch Updater apache2: status Unknown New
2018-03-27 14:40:49 Rafael David Tinoco tags sts sts sts-sponsor
2018-03-27 14:41:03 Rafael David Tinoco bug added subscriber STS Sponsors
2018-03-27 14:41:17 Rafael David Tinoco bug added subscriber Ubuntu Sponsors Team
2018-03-28 21:09:47 Eric Desrochers bug added subscriber Eric Desrochers
2018-03-28 21:11:41 Eric Desrochers bug task added apache2 (Ubuntu Artful)
2018-03-28 21:11:46 Eric Desrochers bug task added apache2 (Ubuntu Bionic)
2018-03-28 21:11:51 Eric Desrochers bug task added apache2 (Ubuntu Xenial)
2018-03-28 21:11:55 Eric Desrochers bug task added apache2 (Ubuntu Trusty)
2018-03-29 14:03:48 Rafael David Tinoco apache2 (Ubuntu Trusty): status New In Progress
2018-03-29 14:03:51 Rafael David Tinoco apache2 (Ubuntu Xenial): status New In Progress
2018-03-29 14:03:53 Rafael David Tinoco apache2 (Ubuntu Artful): status New In Progress
2018-03-29 14:03:55 Rafael David Tinoco apache2 (Ubuntu Trusty): assignee Rafael David Tinoco (inaddy)
2018-03-29 14:03:56 Rafael David Tinoco apache2 (Ubuntu Xenial): assignee Rafael David Tinoco (inaddy)
2018-03-29 14:03:58 Rafael David Tinoco apache2 (Ubuntu Artful): assignee Rafael David Tinoco (inaddy)
2018-03-29 14:04:00 Rafael David Tinoco apache2 (Ubuntu Trusty): importance Undecided Medium
2018-03-29 14:04:01 Rafael David Tinoco apache2 (Ubuntu Xenial): importance Undecided Medium
2018-03-29 14:04:03 Rafael David Tinoco apache2 (Ubuntu Artful): importance Undecided Medium
2018-03-29 15:15:46 Eric Desrochers apache2 (Ubuntu Bionic): status In Progress Fix Committed
2018-03-29 15:41:55 Launchpad Janitor apache2 (Ubuntu Bionic): status Fix Committed Fix Released
2018-03-31 00:44:21 Bug Watch Updater apache2: status New Fix Released
2018-04-05 18:56:21 Brian Murray apache2 (Ubuntu Artful): status In Progress Fix Committed
2018-04-05 18:56:24 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2018-04-05 18:56:25 Brian Murray bug added subscriber SRU Verification
2018-04-05 18:56:29 Brian Murray tags sts sts-sponsor sts sts-sponsor verification-needed verification-needed-artful
2018-04-05 19:06:36 Brian Murray apache2 (Ubuntu Xenial): status In Progress Fix Committed
2018-04-05 19:06:42 Brian Murray tags sts sts-sponsor verification-needed verification-needed-artful sts sts-sponsor verification-needed verification-needed-artful verification-needed-xenial
2018-04-05 19:09:01 Brian Murray apache2 (Ubuntu Trusty): status In Progress Fix Committed
2018-04-05 19:09:07 Brian Murray tags sts sts-sponsor verification-needed verification-needed-artful verification-needed-xenial sts sts-sponsor verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial
2018-04-05 20:38:29 Brian Murray removed subscriber Ubuntu Sponsors Team
2018-04-08 23:48:17 Rafael David Tinoco tags sts sts-sponsor verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial sts sts-sponsor verification-done
2018-04-11 18:41:44 Dan Streetman tags sts sts-sponsor verification-done sts sts-sponsor verification-done verification-done-artful verification-done-trusty verification-done-xenial
2018-04-19 07:54:39 Launchpad Janitor apache2 (Ubuntu Artful): status Fix Committed Fix Released
2018-04-19 07:54:45 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2018-04-19 07:54:56 Launchpad Janitor apache2 (Ubuntu Xenial): status Fix Committed Fix Released
2018-04-19 07:55:59 Launchpad Janitor apache2 (Ubuntu Trusty): status Fix Committed Fix Released
2018-05-09 18:57:40 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345310
2018-05-09 18:58:19 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345311
2018-05-09 18:59:32 Andreas Hasenack merge proposal unlinked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345311
2018-05-09 19:02:17 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312
2018-05-09 19:22:18 Andreas Hasenack merge proposal unlinked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312
2018-05-11 19:34:38 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312
2018-05-15 17:53:45 Andreas Hasenack merge proposal unlinked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312
2018-05-17 14:04:21 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/345312