[SRU] memory leaks in apache2 when running mod_ssl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
Hardy |
Fix Released
|
High
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Martin Pitt | ||
openssl (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Intrepid |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: apache2
The following came in an email to <email address hidden>. I asked the sender to file a report, but it hasn't happened yet, so I am filing it on his behalf (essentially pasting the email here).
--- EMAIL FROM USER ---
After upgrading our servers from Ubuntu 6.06 to Ubuntu 8.04 we started seeing MASSIVE memory leaks in Apache 2.2 (mpm-worker). Before decreasing MaxRequestsPerChild we actually got kernel panic OOMs so in our view this is a serious DenialOfSerivce vulnerability.
I have spent some time debugging the issue using valgrind and some custom debugging printf's and I have so far concluded that it is related to SSLv3/TLSv1 zlib compression.
How to reproduce the leak:
(1) Set up a SSL-enabled host in Apache2.2. Session cache and the like does not seem to matter, but make sure that the childs run long enough to notice the leak.
(2) Verify that zlib compression is enabled:
$ openssl s_client -tls1 -connect host:port
(3) Flood the host with compression enabled requests (no SSLv2):
$ ab -n x -c y -f tls1 https:/
Valgrind indicates that the leak occurs inside crypto/
static int zlib_stateful_
{
int err;
struct zlib_state *state =
-> (struct zlib_state *)OPENSSL_
zlib_state));
My debugging printf's seem to indicate that (in the same file):
static void zlib_stateful_
is called correctly, but
static void zlib_stateful_
which is supposed to free the zlib_state allocation is never called.
The zlib_stateful_
BTW, bug #186339 looks like it is the same issue.
Related branches
CVE References
Changed in apache2: | |
importance: | Undecided → High |
Changed in apache2: | |
milestone: | none → ubuntu-8.04.1 |
milestone: | ubuntu-8.04.1 → none |
Changed in apache2: | |
milestone: | none → ubuntu-8.04.1 |
Hi,
I've got the same bug. I've tried disabling mod_ssl without any success, the memory leak is still happening... Do you have an idea ? Maybe it's not/not only SSL after all ?