po

[Joshua Marantz]

Hi,

I've been load-testing our module
(mod_pagespeedhttp://code.google.com/speed/page-speed/docs/module.html)
with httpd 2.2.16 built with these options:
 --enable-pool-debug --with-mpm=worker
I've been getting periodic aborts from apr_table_addn that don't look like
they are from my module.  These do not occur when using 'prefork'.

Here's a stack-trace recovered from a core file:

Program terminated with signal 6, Aborted.
#0  0x7fdd3bbd9a75 in raise (sig=value optimized out) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
 in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) where
#0  0x7fdd3bbd9a75 in raise (sig=value optimized out) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x7fdd3bbdd5c0 in abort () at abort.c:92
#2  0x7fdd3c9a2e57 in apr_table_addn (t=0xe84980, key=0xd51d60
Accept-Encoding, val=0xd51d71 identity) at tables/apr_tables.c:813
#3  0x00433e36 in ap_get_mime_headers_core (r=0xf27de0, bb=0xdda3a0)
at protocol.c:799
#4  0x0043456b in ap_read_request (conn=0xe51620) at protocol.c:918
#5  0x0047f772 in ap_process_http_connection (c=0xe51620) at
http_core.c:183
#6  0x00446e28 in ap_run_process_connection (c=0xe51620) at
connection.c:43
#7  0x004b3297 in process_socket (thd=value optimized out,
dummy=value optimized out) at worker.c:544
#8  worker_thread (thd=value optimized out, dummy=value optimized out)
at worker.c:894
#9  0x7fdd3c1339ca in start_thread (arg=value optimized out) at
pthread_create.c:300
#10 0x7fdd3bc8c70d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112


Questions

1. Is this a bug in httpd?
2. Or could I somehow have caused this with a programming error in my
module?
3. Or is enable-pool-debug simply incompatible with the Worker MPM?

Thanks,
-Josh

Re: po

[Ben Noordhuis]

On Thu, Sep 1, 2011 at 13:52, Joshua Marantz jmara...@google.com wrote:
 Hi,

 I've been load-testing our module
 (mod_pagespeedhttp://code.google.com/speed/page-speed/docs/module.html)
 with httpd 2.2.16 built with these options:
     --enable-pool-debug --with-mpm=worker
 I've been getting periodic aborts from apr_table_addn that don't look like
 they are from my module.  These do not occur when using 'prefork'.

 Here's a stack-trace recovered from a core file:

 Program terminated with signal 6, Aborted.
 #0  0x7fdd3bbd9a75 in raise (sig=value optimized out) at
 ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  in ../nptl/sysdeps/unix/sysv/linux/raise.c
 (gdb) where
 #0  0x7fdd3bbd9a75 in raise (sig=value optimized out) at
 ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 #1  0x7fdd3bbdd5c0 in abort () at abort.c:92
 #2  0x7fdd3c9a2e57 in apr_table_addn (t=0xe84980, key=0xd51d60
 Accept-Encoding, val=0xd51d71 identity) at tables/apr_tables.c:813
 #3  0x00433e36 in ap_get_mime_headers_core (r=0xf27de0, bb=0xdda3a0)
 at protocol.c:799
 #4  0x0043456b in ap_read_request (conn=0xe51620) at protocol.c:918
 #5  0x0047f772 in ap_process_http_connection (c=0xe51620) at
 http_core.c:183
 #6  0x00446e28 in ap_run_process_connection (c=0xe51620) at
 connection.c:43
 #7  0x004b3297 in process_socket (thd=value optimized out,
 dummy=value optimized out) at worker.c:544
 #8  worker_thread (thd=value optimized out, dummy=value optimized out)
 at worker.c:894
 #9  0x7fdd3c1339ca in start_thread (arg=value optimized out) at
 pthread_create.c:300
 #10 0x7fdd3bc8c70d in clone () at
 ../sysdeps/unix/sysv/linux/x86_64/clone.S:112


 Questions

 1. Is this a bug in httpd?

Probably not.

 2. Or could I somehow have caused this with a programming error in my
 module?

That seems more likely.

 3. Or is enable-pool-debug simply incompatible with the Worker MPM?

Not that I know.

That assertion is triggered when you add a string from pool A to a
table in pool B where A is a child of B (adding headers from the
request_rec to a conn_rec table, for example). It's a lifecycle issue.

Detecting which MPM a module is running in

[Joshua Marantz]

Hello from mod_pagespeed again.

We are adding support for running in the Worker MPM, having spent most of
our time since we launched the product sheltered in the prefork MPM where
our multi-threading challenges are all of our own making.

Having tuned our threading model for prefork, where all request-parallelism
will come at the process level, we now offer a functional but, almost
certainly, suboptimal experience for Worker MPM users.

In particular, for a given server_rec, in prefork we are only going to be
processing one request at a time, hence we should employ only a small number
of worker threads to help us.  But in Worker MPM, from what I've seen, a
single server_rec can service multiple concurrent requests.  Thus I think we
should be aware of this and bump up the number of worker threads we create
to help us.

Is it possible to detect the MPM under which mod_pagespeed is running, or,
more generally, the number of concurrent requests that the current process
is likely to need to handle?

Thanks!
-Josh

RE: non-splittable buckets (was: Regression with range fix)

[Plüm, Rüdiger, VF-Group]

 

 -Original Message-
 From: Stefan Fritsch [mailto:s...@sfritsch.de] 
 Sent: Mittwoch, 31. August 2011 23:09
 To: dev@httpd.apache.org
 Subject: non-splittable buckets (was: Regression with range fix)
 
 On Wednesday 31 August 2011, Jim Jagielski wrote:
   Looking at the patch in 2.2.x; there is a lot of effort expended
   deadling with apr_bucket_split() returning ENOTIMPL - that looks
   unnecessary; the filter will only handle brigades containing
   buckets with known length, and all such buckets must be
   _split-able.
   
   So you think we can rip out the whole if (rv == APR_ENOTIMPL)
   blocks?
  
  Belt and suspenders?
 
 If we rip it out, we should replace it with ap_assert()s. And maybe 
 only do it in 2.3?

I guess asserts are fine. IMHO we should do it in 2.3 and 2.2 if we do it.
Nothing is different between 2.2 and 2.3 in this respect and we keep the
diff between 2.2 and 2.3 small.
From what I can see Joe is correct with his assumption that this case
cannot happen there.

 
 A different idea I had: If apr_bucket_split() returns ENOTIMPL, we 
 could call apr_brigade_partition on the copied brigade. 
 apr_brigade_partition() would then do all the complex handling of 
 apr_bucket_read(), etc. It is only slightly less efficient because it 
 has to traverse the brigade again. But the memory usage would still 
 stay low because the original brigade would remain untouched. And we 
 would get rid of much of the complexity in copy_brigade_range().
 

Would be an approach, but I would like to see Joe's feedback on this
as I don't see value in reconstructing this part if ripping out is fine
as well.

Regards

Rüdiger

RE: Appropriate patches for 2.2.19 and 2.0.64?

[Plüm, Rüdiger, VF-Group]

 

 -Original Message-
 From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] 
 Sent: Donnerstag, 1. September 2011 03:51
 To: dev@httpd.apache.org
 Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
 
 On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
  I've attempted to simply substitute the 2.2.19 filter code into the
  2.0.64 http_protocol.c sources, and am unsure how far off 
 these patches
  are from what they need to be; there's been a significant 
 amount of drift
  and refactoring in the interim.
 
 Still looking for feedback, but the attached applies and 
 corresponds to
 2.2.20 with the exception of atoi rather than strtoi 
 semantics, and without
 the no DefaultType exception..
 
 
 

Thanks for taking care. It applies cleanly, but most byterange tests
from the framework fail:

Failed Test   Stat Wstat Total Fail  Failed  List of Failed
---
t/apache/byterange.t   136   97  71.32%  2-9 11 16-17 19-20 25-26
 28 33-35 37-39 42 44-47
 49-61 63-68 70-73 77-79
 83-88 90-96 98-99 101-103
 105-113 115-123 126-127
 130 132-136
t/apache/byterange5.t54  80.00%  1 3-5
t/apache/byterange7.t   135  38.46%  2-5 12

This might be because I use a 64 bit build of 2.0.x (no other test environment 
at hand
at the moment) and 2.0.x is not really good at 64 bit (lots of compiler 
warnings).


Regards

Rüdiger

Re: svn commit: r1163833 - /httpd/httpd/trunk/modules/http/byterange_filter.c

[Tim Bannister]

On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:

On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:

The presumption here is that the client requests bytes=0- to begin the 
transmission, and provided it sees a 206, restarting somewhere in the 
stream results in aborting the connection and streaming bytes=n- from 
the restart point.  Further testing should determine if this was the 
broken assumption.


Do we send the Accept-Ranges header field?

  http://tools.ietf.org/html/rfc2616#page-105


Apache httpd 2.2.9 is sending this header in the Debian bug report at 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825

Tim

Re: Appropriate patches for 2.2.19 and 2.0.64?

[dreamice]

Is there anyone has tested the 2.2.19 with this patch?

2011/9/1 Plüm, Rüdiger, VF-Group ruediger.pl...@vodafone.com



  -Original Message-
  From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
  Sent: Donnerstag, 1. September 2011 03:51
  To: dev@httpd.apache.org
  Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
 
  On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
   I've attempted to simply substitute the 2.2.19 filter code into the
   2.0.64 http_protocol.c sources, and am unsure how far off
  these patches
   are from what they need to be; there's been a significant
  amount of drift
   and refactoring in the interim.
 
  Still looking for feedback, but the attached applies and
  corresponds to
  2.2.20 with the exception of atoi rather than strtoi
  semantics, and without
  the no DefaultType exception..
 
 
 

 Thanks for taking care. It applies cleanly, but most byterange tests
 from the framework fail:

 Failed Test   Stat Wstat Total Fail  Failed  List of Failed

 ---
 t/apache/byterange.t   136   97  71.32%  2-9 11 16-17 19-20
 25-26
 28 33-35 37-39 42 44-47
 49-61 63-68 70-73 77-79
 83-88 90-96 98-99
 101-103
 105-113 115-123 126-127
 130 132-136
 t/apache/byterange5.t54  80.00%  1 3-5
 t/apache/byterange7.t   135  38.46%  2-5 12

 This might be because I use a 64 bit build of 2.0.x (no other test
 environment at hand
 at the moment) and 2.0.x is not really good at 64 bit (lots of compiler
 warnings).


 Regards

 Rüdiger

Another regression regarding byteranges

[Plüm, Rüdiger, VF-Group]

PR 51748 (https://issues.apache.org/bugzilla/show_bug.cgi?id=51748) is an IMHO 
valid regression
in range behaviour (from the report):

Request and response sample in each versions.
= version 2.2.20
GET / HTTP/1.1
Host: localhost
Range: bytes=-1

HTTP/1.1 206 Partial Content
Server: Apache/2.2.20 (Unix)
Accept-Ranges: bytes
Content-Length: 2
Content-Range: bytes 0-1/10240
Content-Type: text/html

= version 2.2.19
GET / HTTP/1.1
Host: localhost
Range: bytes=-1

HTTP/1.1 206 Partial Content
Server: Apache/2.2.19 (Unix)
Accept-Ranges: bytes
Content-Length: 1
Content-Range: bytes 10239-10239/10240
Content-Type: text/html
=



I already fixed that in trunk.
I think this regression justifies another release for 2.2.x. But IMHO we should 
wait at least until
mid next week to see if other regressions come thru and hit them all with a 
2.2.21.

Regards

Rüdiger

Re: Next update

[Ben Laurie]

On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
di...@webweaving.org wrote:
 Suggestion for

        http://people.apache.org/~dirkx/CVE-2011-3192.txt

You probably mean deprecated not desecrated, amusing though that is.

Re: Next update

[Dirk-Willem van Gulik]

On 1 Sep 2011, at 12:06, Ben Laurie wrote:

 On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
 di...@webweaving.org wrote:
 Suggestion for
 
http://people.apache.org/~dirkx/CVE-2011-3192.txt
 
 You probably mean deprecated not desecrated, amusing though that is.
 
Darn Functional MRI - them spell checkers are getting scarily good at reading 
my mind !

Thanks Ben,

Dw. 

Re: Another regression regarding byteranges

[Jim Jagielski]

On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
 I already fixed that in trunk.
 I think this regression justifies another release for 2.2.x. But IMHO we 
 should wait at least until
 mid next week to see if other regressions come thru and hit them all with a 
 2.2.21.
 

+1

CVE-2003-1418 - still affects apache 2 current

[Marcus Meissner]

Hi,

CVE-2003-1418, a minor security issue, is still affecting the current codebase.

someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623

Do you have a statement?

The Qualys security scanner detects and reports this issue and continues
to confuse Apache users :/

The OpenBSD patch referenced adds some hashing and backing store
for the etags.

Ciao, Marcus

Re: non-splittable buckets (was: Regression with range fix)

[Joe Orton]

On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
 On Wednesday 31 August 2011, Jim Jagielski wrote:
   Looking at the patch in 2.2.x; there is a lot of effort expended
   deadling with apr_bucket_split() returning ENOTIMPL - that looks
   unnecessary; the filter will only handle brigades containing
   buckets with known length, and all such buckets must be
   _split-able.
   
   So you think we can rip out the whole if (rv == APR_ENOTIMPL)
   blocks?

Yes.  This code could only get exercised with a custom bucket type which 
has fixed-length buckets but no -split implementation.

  Belt and suspenders?
 
 If we rip it out, we should replace it with ap_assert()s. And maybe 
 only do it in 2.3?

It would seem odd to have ENOTIMPL as a fatal error but other real 
errors non-fatal.  *No* error should occur here with unless somebody has 
cooked up a really whacky bucket type.

Regards, Joe

RE: non-splittable buckets (was: Regression with range fix)

[Plüm, Rüdiger, VF-Group]

 

 -Original Message-
 From: Joe Orton [mailto:jor...@redhat.com] 
 Sent: Donnerstag, 1. September 2011 14:39
 To: dev@httpd.apache.org
 Subject: Re: non-splittable buckets (was: Regression with range fix)
 
 On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
  On Wednesday 31 August 2011, Jim Jagielski wrote:
Looking at the patch in 2.2.x; there is a lot of 
 effort expended
deadling with apr_bucket_split() returning ENOTIMPL - 
 that looks
unnecessary; the filter will only handle brigades containing
buckets with known length, and all such buckets must be
_split-able.

So you think we can rip out the whole if (rv == APR_ENOTIMPL)
blocks?
 
 Yes.  This code could only get exercised with a custom bucket 
 type which 
 has fixed-length buckets but no -split implementation.
 
   Belt and suspenders?
  
  If we rip it out, we should replace it with ap_assert()s. And maybe 
  only do it in 2.3?
 
 It would seem odd to have ENOTIMPL as a fatal error but 
 other real 
 errors non-fatal.  *No* error should occur here with unless 
 somebody has 
 cooked up a really whacky bucket type.

So you would follow the rip-out-and-replace-with-asserts approach?

Regards

Rüdiger

Re: Another regression regarding byteranges

[Dirk-Willem van Gulik]

On 1 Sep 2011, at 13:33, Jim Jagielski wrote:

 
 On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
 I already fixed that in trunk.
 I think this regression justifies another release for 2.2.x. But IMHO we 
 should wait at least until
 mid next week to see if other regressions come thru and hit them all with a 
 2.2.21.
 
 
 +1
 

Ok - so this makes it sound we really should get the advisory out. Shall I 
update it with some caveats and stay tuned - but still make it FINAL ?

Or should we make this an update - and not declare final victory ?

Dw.

Re: non-splittable buckets (was: Regression with range fix)

[Joe Orton]

On Thu, Sep 01, 2011 at 02:47:19PM +0200, Plüm, Rüdiger, VF-Group wrote:
   If we rip it out, we should replace it with ap_assert()s. And maybe 
   only do it in 2.3?
  
  It would seem odd to have ENOTIMPL as a fatal error but other 
  real errors non-fatal.  *No* error should occur here with unless 
  somebody has cooked up a really whacky bucket type.
 
 So you would follow the rip-out-and-replace-with-asserts approach?

No, just remove the special case for ENOTIMPL and don't change anything 
else.

Index: modules/http/byterange_filter.c
===
--- modules/http/byterange_filter.c (revision 1163995)
+++ modules/http/byterange_filter.c (working copy)
@@ -94,8 +94,6 @@
 apr_bucket *first = NULL, *last = NULL, *out_first = NULL, *e;
 apr_uint64_t pos = 0, off_first = 0, off_last = 0;
 apr_status_t rv;
-const char *s;
-apr_size_t len;
 apr_uint64_t start64, end64;
 apr_off_t pofft = 0;
 
@@ -147,44 +145,10 @@
 if (e == first) {
 if (off_first != start64) {
 rv = apr_bucket_split(copy, (apr_size_t)(start64 - off_first));
-if (rv == APR_ENOTIMPL) {
-rv = apr_bucket_read(copy, s, len, APR_BLOCK_READ);
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-/*
- * The read above might have morphed copy in a bucket
- * of shorter length. So read and delete until we reached
- * the correct bucket for splitting.
- */
-while (start64 - off_first  (apr_uint64_t)copy-length) {
-apr_bucket *tmp = APR_BUCKET_NEXT(copy);
-off_first += (apr_uint64_t)copy-length;
-APR_BUCKET_REMOVE(copy);
-apr_bucket_destroy(copy);
-copy = tmp;
-rv = apr_bucket_read(copy, s, len, APR_BLOCK_READ);
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-}
-if (start64  off_first) {
-rv = apr_bucket_split(copy, (apr_size_t)(start64 - 
off_first));
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-}
-else {
-copy = APR_BUCKET_PREV(copy);
-}
+if (rv != APR_SUCCESS) {
+apr_brigade_cleanup(bbout);
+return rv;
 }
-else if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
 out_first = APR_BUCKET_NEXT(copy);
 APR_BUCKET_REMOVE(copy);
 apr_bucket_destroy(copy);
@@ -200,38 +164,10 @@
 }
 if (end64 - off_last != (apr_uint64_t)e-length) {
 rv = apr_bucket_split(copy, (apr_size_t)(end64 + 1 - 
off_last));
-if (rv == APR_ENOTIMPL) {
-rv = apr_bucket_read(copy, s, len, APR_BLOCK_READ);
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-/*
- * The read above might have morphed copy in a bucket
- * of shorter length. So read until we reached
- * the correct bucket for splitting.
- */
-while (end64 + 1 - off_last  (apr_uint64_t)copy-length) {
-off_last += (apr_uint64_t)copy-length;
-copy = APR_BUCKET_NEXT(copy);
-rv = apr_bucket_read(copy, s, len, APR_BLOCK_READ);
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-}
-if (end64  off_last + (apr_uint64_t)copy-length - 1) {
-rv = apr_bucket_split(copy, (apr_size_t)(end64 + 1 - 
off_last));
-if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-return rv;
-}
-}
+if (rv != APR_SUCCESS) {
+apr_brigade_cleanup(bbout);
+return rv;
 }
-else if (rv != APR_SUCCESS) {
-apr_brigade_cleanup(bbout);
-

Re: po

[Joshua Marantz]

Hi Ben,

Hmmm...don't know what happened to that subject line po.  Not what I meant
to type, obviously!

On Thu, Sep 1, 2011 at 8:14 AM, Ben Noordhuis i...@bnoordhuis.nl wrote:

 That assertion is triggered when you add a string from pool A to a
 table in pool B where A is a child of B (adding headers from the
 request_rec to a conn_rec table, for example). It's a lifecycle issue.


OK given the stack-trace above it's hard for me to figure out a path back
from my module.  Of course a random memory stomp could make any weird thing
happen, but only this one specific thing always happens.  And we try to
avoid memory-stomps via valgrind etc though it's impossible to prove that
none exist under load.


But I think I've found 2 potential problems in httpd:
  1. protocol.c calls apr_table_addn using a char* value that is offset from
a pool-allocated string.  It's not obvious that it's doing
  this safely but it makes sense this code has to run crazy fast and has
lots of mileage on it.  And it's probably OK for the pool-find
  algorithm appears to do a pointer-range check in apr_pools.c:1908,
function pool_find().  For the moment I'll assume this is not
  the actual problem.
  2. there are a bunch of ifdefs in apr_pools.c for POOL_DEBUG and there's a
some mutexing for APR_HAS_THREADS, e.g. in
 apr_allocator_max_free_set.  But I suspect the debug structures for
POOL_DEBUG are not adequately mutexed.

Has anyone specifically used pool-debug and worker-mpm together under heavy
load?

Thanks!
-Josh

Re: non-splittable buckets (was: Regression with range fix)

[Jim Jagielski]

On Sep 1, 2011, at 8:59 AM, Joe Orton wrote:

 On Thu, Sep 01, 2011 at 02:47:19PM +0200, Plüm, Rüdiger, VF-Group wrote:
 If we rip it out, we should replace it with ap_assert()s. And maybe 
 only do it in 2.3?
 
 It would seem odd to have ENOTIMPL as a fatal error but other 
 real errors non-fatal.  *No* error should occur here with unless 
 somebody has cooked up a really whacky bucket type.
 
 So you would follow the rip-out-and-replace-with-asserts approach?
 
 No, just remove the special case for ENOTIMPL and don't change anything 
 else.
 

+1...

RequestHeader early with CVE-2011-3192

[Yehezkel Horowitz]

Hello

In case I don't want to support Range and Request-Range headers at all, 
would it be safe to remove those headers in the early processing hook?

Something like:
RequestHeader unset Range early
RequestHeader unset Range-Request early

I'm asking because the documentation of mod_headers recommends not using the 
early mode in an operational server.

Thanks

Yehezkel Horowitz
Check Point Software Technologies Ltd.

Re: Pool Debug Worker MPM compatibility

[Joshua Marantz]

Oh also I should not that when I do my load-test with pool-debugging off,
all is well. The error_log has zero signals/aborts.  The main reason I was
using pool-debug in the first place was to get better valgrind leak-checks.
 But if this is just not compatible with Worker MPM I can stay with pool
debug off.

-Josh

On Thu, Sep 1, 2011 at 9:05 AM, Joshua Marantz jmara...@google.com wrote:

 Hi Ben,

 Hmmm...don't know what happened to that subject line po.  Not what I
 meant to type, obviously!

 On Thu, Sep 1, 2011 at 8:14 AM, Ben Noordhuis i...@bnoordhuis.nl wrote:

 That assertion is triggered when you add a string from pool A to a
 table in pool B where A is a child of B (adding headers from the
 request_rec to a conn_rec table, for example). It's a lifecycle issue.


 OK given the stack-trace above it's hard for me to figure out a path back
 from my module.  Of course a random memory stomp could make any weird thing
 happen, but only this one specific thing always happens.  And we try to
 avoid memory-stomps via valgrind etc though it's impossible to prove that
 none exist under load.


 But I think I've found 2 potential problems in httpd:
   1. protocol.c calls apr_table_addn using a char* value that is offset
 from a pool-allocated string.  It's not obvious that it's doing
   this safely but it makes sense this code has to run crazy fast and
 has lots of mileage on it.  And it's probably OK for the pool-find
   algorithm appears to do a pointer-range check in apr_pools.c:1908,
 function pool_find().  For the moment I'll assume this is not
   the actual problem.
   2. there are a bunch of ifdefs in apr_pools.c for POOL_DEBUG and there's
 a some mutexing for APR_HAS_THREADS, e.g. in
  apr_allocator_max_free_set.  But I suspect the debug structures for
 POOL_DEBUG are not adequately mutexed.

 Has anyone specifically used pool-debug and worker-mpm together under heavy
 load?

 Thanks!
 -Josh

Re: CVE-2003-1418 - still affects apache 2 current

[Nick Kew]

On Thu, 1 Sep 2011 14:39:11 +0200
Marcus Meissner meiss...@suse.de wrote:

 Hi,
 
 CVE-2003-1418, a minor security issue, is still affecting the current 
 codebase.
 
 someone opened a tracker bug a year ago without feedback:
 https://issues.apache.org/bugzilla/show_bug.cgi?id=49623

I've just hacked up a simple candidate patch.  Review?

(trunk patch - trivial offset when applied to 2.2.x)

-- 
Nick Kew
Index: modules/http/http_etag.c
===
--- modules/http/http_etag.c(revision 1164053)
+++ modules/http/http_etag.c(working copy)
@@ -26,6 +26,7 @@
 #include http_core.h
 #include http_protocol.h   /* For index_of_response().  Grump. */
 #include http_request.h
+#include util_md5.h
 
 /* Generate the human-readable hex representation of an apr_uint64_t
  * (basically a faster version of 'sprintf(%llx)')
@@ -50,6 +51,13 @@
 *next++ = HEX_DIGITS[u  (apr_uint64_t)0xf];
 return next;
 }
+static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool)
+{
+char *digest = ap_md5_binary(pool, (unsigned char*)u, sizeof(u));
+int len = strlen(digest);
+memcpy(next, digest, len);
+return next+len;
+}
 
 #define ETAG_WEAK W/
 #define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2)
@@ -114,7 +122,7 @@
  * FileETag keywords.
  */
 etag = apr_palloc(r-pool, weak_len + sizeof(\--\) +
-  3 * CHARS_PER_UINT64 + 1);
+  2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1);
 next = etag;
 if (weak) {
 while (*weak) {
@@ -124,7 +132,7 @@
 *next++ = '';
 bits_added = 0;
 if (etag_bits  ETAG_INODE) {
-next = etag_uint64_to_hex(next, r-finfo.inode);
+next = etag_uint64_to_md5(next, r-finfo.inode, r-pool);
 bits_added |= ETAG_INODE;
 }
 if (etag_bits  ETAG_SIZE) {

Re: RequestHeader early with CVE-2011-3192

[Nick Kew]

On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz horow...@checkpoint.com wrote:

 Hello
 
 In case I don't want to support Range and Request-Range headers at all, 
 would it be safe to remove those headers in the early processing hook?
 
 Something like:
 RequestHeader unset Range early
 RequestHeader unset Range-Request early
 
 I'm asking because the documentation of mod_headers recommends not using the 
 early mode in an operational server.

This would be on-topic for the users list rather than here.

The reason for that recommendation is that when used 'early' it will
have side-effects, like ignoring the context it's supposed to be
configured for.

If you want the unset to apply server-wide, then early should be fine.


-- 
Nick Kew

Re: CVE-2003-1418 - still affects apache 2 current

[Marcus Meissner]

On Thu, Sep 01, 2011 at 03:30:57PM +0100, Nick Kew wrote:
 On Thu, 1 Sep 2011 14:39:11 +0200
 Marcus Meissner meiss...@suse.de wrote:
 
  Hi,
  
  CVE-2003-1418, a minor security issue, is still affecting the current 
  codebase.
  
  someone opened a tracker bug a year ago without feedback:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
 
 I've just hacked up a simple candidate patch.  Review?
 
 (trunk patch - trivial offset when applied to 2.2.x)

This just md5s the inodenr, right?

If yes, this is just obfuscation if you do not add some kind of random salt.

(You can still just do
for (i=0;i...;i++) md5($i) 
and compare, including use of Rainbow Tables.)

Ciao, Marcus
 
 -- 
 Nick Kew

 Index: modules/http/http_etag.c
 ===
 --- modules/http/http_etag.c  (revision 1164053)
 +++ modules/http/http_etag.c  (working copy)
 @@ -26,6 +26,7 @@
  #include http_core.h
  #include http_protocol.h   /* For index_of_response().  Grump. */
  #include http_request.h
 +#include util_md5.h
  
  /* Generate the human-readable hex representation of an apr_uint64_t
   * (basically a faster version of 'sprintf(%llx)')
 @@ -50,6 +51,13 @@
  *next++ = HEX_DIGITS[u  (apr_uint64_t)0xf];
  return next;
  }
 +static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool)
 +{
 +char *digest = ap_md5_binary(pool, (unsigned char*)u, sizeof(u));
 +int len = strlen(digest);
 +memcpy(next, digest, len);
 +return next+len;
 +}
  
  #define ETAG_WEAK W/
  #define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2)
 @@ -114,7 +122,7 @@
   * FileETag keywords.
   */
  etag = apr_palloc(r-pool, weak_len + sizeof(\--\) +
 -  3 * CHARS_PER_UINT64 + 1);
 +  2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1);
  next = etag;
  if (weak) {
  while (*weak) {
 @@ -124,7 +132,7 @@
  *next++ = '';
  bits_added = 0;
  if (etag_bits  ETAG_INODE) {
 -next = etag_uint64_to_hex(next, r-finfo.inode);
 +next = etag_uint64_to_md5(next, r-finfo.inode, r-pool);
  bits_added |= ETAG_INODE;
  }
  if (etag_bits  ETAG_SIZE) {


-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer

Re: CVE-2003-1418 - still affects apache 2 current

[Joe Orton]

On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
 Hi,
 
 CVE-2003-1418, a minor security issue, is still affecting the current 
 codebase.
 
 someone opened a tracker bug a year ago without feedback:
 https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
 
 Do you have a statement?

Use FileETag -INode if you care about leaking inode numbers.

I think there was consensus that the default should be changed to that, 
but I can't find the discussion.

Regards, Joe

Re: CVE-2003-1418 - still affects apache 2 current

[Nick Kew]

On Thu, 1 Sep 2011 16:36:24 +0200
Marcus Meissner meiss...@suse.de wrote:


 This just md5s the inodenr, right?
 
 If yes, this is just obfuscation if you do not add some kind of random salt.
 
 (You can still just do
   for (i=0;i...;i++) md5($i) 
 and compare, including use of Rainbow Tables.)

Erm, yeah.  I guess brute force on 2^64 numbers is too easy,
even if the information leaked is of low value.

Would you consider it strong enough if we aggregate
inode+size+mtime and make the etag an md5 hash of that?
Brings the benefit of a slightly shorter string with
a patch that's still simple.

-- 
Nick Kew

Re: CVE-2003-1418 - still affects apache 2 current

[Marcus Meissner]

On Thu, Sep 01, 2011 at 03:55:28PM +0100, Nick Kew wrote:
 On Thu, 1 Sep 2011 16:36:24 +0200
 Marcus Meissner meiss...@suse.de wrote:
 
 
  This just md5s the inodenr, right?
  
  If yes, this is just obfuscation if you do not add some kind of random salt.
  
  (You can still just do
  for (i=0;i...;i++) md5($i) 
  and compare, including use of Rainbow Tables.)
 
 Erm, yeah.  I guess brute force on 2^64 numbers is too easy,
 even if the information leaked is of low value.
 
 Would you consider it strong enough if we aggregate
 inode+size+mtime and make the etag an md5 hash of that?
 Brings the benefit of a slightly shorter string with
 a patch that's still simple.

Both size and mtime are easily retrievable from remote,
you need to add some stuff the attacker cannot derive ;)

Ciao, Marcus

Re: po

[Ray Morris]

 this code has to run crazy fast and has lots of mileage on it. 
...
 OK given the stack-trace above it's hard for me to figure out 
 a path back from my module.  

Why not run the test without your new module loaded?
That sems like a far simpler and more reliable indication 
of whether the issue is in the code with mileage on it or
in the new code.


 Hmmm...don't know what happened to that subject line po.  
 Not what I meant to type, obviously!

Another O would have been quite embarassing wouldn't it.
-- 
Ray Morris
supp...@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/

Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/

Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php

Re: CVE-2003-1418 - still affects apache 2 current

[Marcus Meissner]

On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
..
 mtime - well, is directly in the header - Last-Modified
 size - well, directly in the header - Content-Length
 inode - well, where is there any security implication?

I could not directly think of one.

The reason is just that there is a CVE entry that checkers check for
and every user of those checkers asks back from their vendors.

A statement from Apache project that its not seen as security issue is
probably sufficient.

Ciao, Marcus

Re: po

[Joshua Marantz]

On Thu, Sep 1, 2011 at 11:16 AM, Ray Morris supp...@bettercgi.com wrote:

  this code has to run crazy fast and has lots of mileage on it.
 ...
  OK given the stack-trace above it's hard for me to figure out
  a path back from my module.

 Why not run the test without your new module loaded?


This is such an excellent idea.  The module is, unfortunately in this case,
generating the load for the load-test, as well as handling it.  I think I
can have the module do *less* but if the module is not loaded at all, then
there will be no load.


 That seems like a far simpler and more reliable indication
 of whether the issue is in the code with mileage on it or
 in the new code.


The code with mileage in protocol.c is not really under suspicion at this
point -- I probably shouldn't have mentioned it, except that it appears in
the stack at the time of the abort(), and mod_pagespeed doesn't.

The code that I suspect has a lot less mileage on it is the application
of pool debugging to the Worker MPM.  That's why I want to know if anyone
else has put those two together under heavy load.

-Josh

RE: CVE-2003-1418 - still affects apache 2 current

[Plüm, Rüdiger, VF-Group]

 

 -Original Message-
 From: Joe Orton [mailto:jor...@redhat.com] 
 Sent: Donnerstag, 1. September 2011 16:46
 To: Marcus Meissner
 Cc: dev@httpd.apache.org
 Subject: Re: CVE-2003-1418 - still affects apache 2 current
 
 On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
  Hi,
  
  CVE-2003-1418, a minor security issue, is still affecting 
 the current codebase.
  
  someone opened a tracker bug a year ago without feedback:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
  
  Do you have a statement?
 
 Use FileETag -INode if you care about leaking inode numbers.
 
 I think there was consensus that the default should be 
 changed to that, 
 but I can't find the discussion.

Can't find the discussion either, but I remember that it was not seen as a 
security issue.
For those still concerned about this, the advice was as you said FileETag 
-INode.
So IMHO no need for a patch here except for documentation and default config

Regards

Rüdiger

Re: svn commit: r1163918 - /httpd/httpd/trunk/modules/http/byterange_filter.c

[William A. Rowe Jr.]

On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
 Author: rpluem
 Date: Thu Sep  1 06:30:02 2011
 New Revision: 1163918
 
 URL: http://svn.apache.org/viewvc?rev=1163918view=rev
 Log:
 * Fix error message

 --- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
 +++ httpd/httpd/trunk/modules/http/byterange_filter.c Thu Sep  1 06:30:02 2011
 @@ -640,7 +640,9 @@ static int ap_set_byterange(request_rec 
  }
  else if (num_ranges == 0  unsatisfiable) {
  /* If all ranges are unsatisfiable, we should return 416 */
 - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 0U);
 +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 +  All ranges in Range header (%s) are unsatisfiable,
 +  it);

I know this isn't your change, but just noticed it.  APLOG_ERR?
At its highest shouldn't that be APLOG_INFO?

APLOG_ERR and APLOG_WARN should be reserved for server-side errors
that we have some control over, not bogus input :)

RE: svn commit: r1163918 - /httpd/httpd/trunk/modules/http/byterange_filter.c

[Plüm, Rüdiger, VF-Group]

 

 -Original Message-
 From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] 
 Sent: Donnerstag, 1. September 2011 18:38
 To: dev@httpd.apache.org
 Subject: Re: svn commit: r1163918 - 
 /httpd/httpd/trunk/modules/http/byterange_filter.c
 
 On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
  Author: rpluem
  Date: Thu Sep  1 06:30:02 2011
  New Revision: 1163918
  
  URL: http://svn.apache.org/viewvc?rev=1163918view=rev
  Log:
  * Fix error message
 
  --- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
  +++ httpd/httpd/trunk/modules/http/byterange_filter.c Thu 
 Sep  1 06:30:02 2011
  @@ -640,7 +640,9 @@ static int ap_set_byterange(request_rec 
   }
   else if (num_ranges == 0  unsatisfiable) {
   /* If all ranges are unsatisfiable, we should return 416 */
  -   ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 0U);
  +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +  All ranges in Range header (%s) are 
 unsatisfiable,
  +  it);
 
 I know this isn't your change, but just noticed it.  APLOG_ERR?
 At its highest shouldn't that be APLOG_INFO?
 
 APLOG_ERR and APLOG_WARN should be reserved for server-side errors
 that we have some control over, not bogus input :)
 

See r1163920 (http://svn.apache.org/viewvc?rev=1163920view=rev) :-)

Regards

Rüdiger

Re: Next update

[Guenter Knauf]

Hi Dirk,

Am 31.08.2011 22:03, schrieb Dirk-WIllem van Gulik:

Suggestion for

http://people.apache.org/~dirkx/CVE-2011-3192.txt

to be sent to announce and the usual security places.


 4) Deploy a Range header count module as a temporary stopgap measure.

An improved stop-gap module for the 2.x series was provided by
Guenter Knauf and can be found at:

 http://people.apache.org/~dirkx/mod_rangecnt-improved/

I've just fixed the mod to also compile and work now with 1.3.x:
http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/mod_rangecnt.tar.gz

 OS and Vendor specific information
 ==

 NetWare:Pre compiled binaries available.
I've now moved the module binaries into separate folders;
original:
http://people.apache.org/~fuankg/httpd/mod_rangecnt/
improved = configurable:
http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/

Gregg has also compiled Win32 binaries;
original:
http://people.apache.org/~gsmith/httpd/binaries/modules/mod_rangecnt/

Gün.

Re: Appropriate patches for 2.2.19 and 2.0.64?

[William A. Rowe Jr.]

On 9/1/2011 2:41 AM, Plüm, Rüdiger, VF-Group wrote:
  
 
 -Original Message-
 From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] 
 Sent: Donnerstag, 1. September 2011 03:51
 To: dev@httpd.apache.org
 Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?

 On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
 I've attempted to simply substitute the 2.2.19 filter code into the
 2.0.64 http_protocol.c sources, and am unsure how far off 
 these patches
 are from what they need to be; there's been a significant 
 amount of drift
 and refactoring in the interim.

 Still looking for feedback, but the attached applies and 
 corresponds to
 2.2.20 with the exception of atoi rather than strtoi 
 semantics, and without
 the no DefaultType exception..



 
 Thanks for taking care. It applies cleanly, but most byterange tests
 from the framework fail:
 
 Failed Test   Stat Wstat Total Fail  Failed  List of Failed
 ---
 t/apache/byterange.t   136   97  71.32%  2-9 11 16-17 19-20 25-26
  28 33-35 37-39 42 44-47
  49-61 63-68 70-73 77-79
  83-88 90-96 98-99 101-103
  105-113 115-123 126-127
  130 132-136
 t/apache/byterange5.t54  80.00%  1 3-5
 t/apache/byterange7.t   135  38.46%  2-5 12
 
 This might be because I use a 64 bit build of 2.0.x (no other test 
 environment at hand
 at the moment) and 2.0.x is not really good at 64 bit (lots of compiler 
 warnings).

Ideally can you provide me the -verbose output (offlist or to your
people.a.o/ space if it's lengthy)?

Re: svn commit: r1163833 - /httpd/httpd/trunk/modules/http/byterange_filter.c

[Roy T. Fielding]

On Sep 1, 2011, at 1:11 AM, Tim Bannister wrote:
 On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
 On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
 The presumption here is that the client requests bytes=0- to begin the 
 transmission, and provided it sees a 206, restarting somewhere in the 
 stream results in aborting the connection and streaming bytes=n- from the 
 restart point.  Further testing should determine if this was the broken 
 assumption.
 Do we send the Accept-Ranges header field?
  http://tools.ietf.org/html/rfc2616#page-105
 
 Apache httpd 2.2.9 is sending this header in the Debian bug report at 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825

Then the client is broken and they also break intermediary
caches (most of which don't cache 206 responses) by performing
this stunt.  We could add a version-specific browsermatch to do
the 206, but I'd prefer to just tell the client developers to
fix their code.  

Roy

Re: Appropriate patches for 2.2.19 and 2.0.64?

[Rainer Jung]

On 01.09.2011 19:18, William A. Rowe Jr. wrote:
 On 9/1/2011 2:41 AM, Plüm, Rüdiger, VF-Group wrote:

 Ideally can you provide me the -verbose output (offlist or to your
 people.a.o/ space if it's lengthy)?

Sorry for kicking in late. I was on holidays until Sunday and was a bit
overwhelmed by what had happened in between.

I built 2.0 trunk with your patch on Solaris Sparc 32 Bits and a lot of
the byterange tests fail for me also.

I put the test output and the complete test directory for prefork and
worker at:

http://people.apache.org/~rjung/CVE-2011-3192/2.0.x/test/

The tarballs contain the error and access logs.

Regards,

Rainer

Re: CVE-2003-1418 - still affects apache 2 current

[Daniel Ruggeri]

On 9/1/2011 10:23 AM, Marcus Meissner wrote:
 On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
 ..
 mtime - well, is directly in the header - Last-Modified
 size - well, directly in the header - Content-Length
 inode - well, where is there any security implication?
 I could not directly think of one.

 The reason is just that there is a CVE entry that checkers check for
 and every user of those checkers asks back from their vendors.

 A statement from Apache project that its not seen as security issue is
 probably sufficient.

 Ciao, Marcus

This is a sane response to the problem. I've been asking why this is a
vulnerability for years and have yet to receive an answer... Maybe I
haven't asked the right people.

-- 
--
Daniel Ruggeri

Re: Another regression regarding byteranges

[William A. Rowe Jr.]

On 9/1/2011 7:51 AM, Dirk-Willem van Gulik wrote:
 
 On 1 Sep 2011, at 13:33, Jim Jagielski wrote:
 

 On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
 I already fixed that in trunk.
 I think this regression justifies another release for 2.2.x. But IMHO we 
 should wait at least until
 mid next week to see if other regressions come thru and hit them all with a 
 2.2.21.


 +1

 
 Ok - so this makes it sound we really should get the advisory out. Shall I 
 update it with some caveats and stay tuned - but still make it FINAL ?
 
 Or should we make this an update - and not declare final victory ?

+1

An /update/ with patch pointers (the patches themselves being moving
targets as we find these bugs) and to point out the feedback mechanism
(request before and after patch request and response headers as
examples and especially what patch level as documented in the patch)
should do just fine as an update, and we should presume there are
more bugs hiding in this code.

Now that 2.2.20 was published, I see little reason to track this as
a wiki page; bugzilla is probably sufficient now.