Hi mod_perl team,

I reported a bug yesterday to the Apache team, describing a segfault that only 
happens if mod_perl is installed:


My impression was that it should be fixed in httpd2, but mod_perl is the only 
module that adds a configuration flag to the global ap_server_config_defines 
array, so it has been suggested that a one-line change go into the 
modperl_register_hooks() function instead:

Index: src/modules/perl/mod_perl.c
--- src/modules/perl/mod_perl.c.orig
+++ src/modules/perl/mod_perl.c
@@ -861,7 +861,7 @@
     /* for <IfDefine MODPERL2> and Apache2->define("MODPERL2") */
     *(char **)apr_array_push(ap_server_config_defines) =
-        apr_pstrdup(p, "MODPERL2");
+        apr_pstrdup(ap_server_config_defines->pool, "MODPERL2");
                        NULL, NULL, APR_HOOK_MIDDLE);

Essentially, the pool provided as an argument to this function doesn't have a 
long enough lifetime to safely be used as backing storage for the "MODPERL2" 
string.  This change uses the pool that the ap_server_config_defines array 
itself was created in, thereby giving the "MODPERL2" string the same lifetime 
as the array it is being added to.

As far as I can tell, this use-after-free bug has been sitting there for quite 
a few years now but Apache only segfaults if your OS is strict enough about 
reclaiming/unmapping freed memory.

Currently, this issue causes httpd2 to segfault during startup the majority of 
the time on OpenBSD 6.5.

I'd really appreciate it if someone could either confirm that the above patch 
is OK and apply it to mod_perl, or jump on the above Apache bug report and add 
a comment explaining why it isn't.



To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org
For additional commands, e-mail: dev-h...@perl.apache.org

Reply via email to