Bug 42548 - INCLUDE negotiating language aborts with APR_POOL_DEBUG
Summary: INCLUDE negotiating language aborts with APR_POOL_DEBUG
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_negotiation (show other bugs)
Version: 2.2.22
Hardware: All other
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate, PatchAvailable
Depends on:
Blocks:
 
Reported: 2007-05-30 12:04 UTC by Joachim Zobel
Modified: 2018-11-07 21:09 UTC (History)
0 users



Attachments
Patch to fix SIGABRT from unrelated pools with POOL_DEBUG on (1.93 KB, patch)
2013-06-03 05:40 UTC, Dorian Taylor
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joachim Zobel 2007-05-30 12:04:18 UTC
If apache/apr is compiled with pool debugging

#define APR_POOL_DEBUG  0x0f
// Don't think this matters, just for completeness
#define ALLOC_STATS

including a language negotiated document with 

<html>
<!--#include virtual="lang.txt" -->
</html>

where lang.txt.en and lang.txt.de are the actual files aborts with a log message

apr_table_overlay: overlay's pool is not an ancestor of p

The backtrace of the coredump is

#0  0xb7c8f947 in raise () from /lib/tls/libc.so.6
#1  0xb7c910c9 in abort () from /lib/tls/libc.so.6
#2  0xb7df73cb in apr_table_overlay (p=0x80fa350, overlay=0x80f1720, base=0x80b1c60)
    at tables/apr_tables.c:819
#3  0x08081219 in ap_internal_fast_redirect (rr=0x80f0a30, r=0x80fa3a8) at
http_request.c:433
#4  0xb7770925 in handle_multi (r=0x80fa3a8) at mod_negotiation.c:3121
#5  0x0806f927 in ap_run_type_checker (r=0x80fa3a8) at request.c:74
#6  0x080716b8 in ap_process_request_internal (r=0x80fa3a8) at request.c:241
#7  0x08071ed4 in ap_sub_req_method_uri (method=0x8090da3 "GET",
new_uri=0x80dd210 "lang.txt", r=0x80c0810,
    next_filter=0x80d2360) at request.c:1630
#8  0x08071f27 in ap_sub_req_lookup_uri (new_uri=0x80dd210 "lang.txt",
r=0x80c0810, next_filter=0x80d2360)
    at request.c:1642
#9  0xb77ee3f8 in handle_include (ctx=0x8101e68, f=0x8101cc0, bb=0x8102088) at
mod_include.c:1668
#10 0xb77ea040 in includes_filter (f=0x8101cc0, b=0x8101e38) at mod_include.c:3383
#11 0x0806d7f6 in default_handler (r=0x80c0810) at core.c:3701
#12 0x08074037 in ap_run_handler (r=0x80c0810) at config.c:157
#13 0x08077121 in ap_invoke_handler (r=0x80c0810) at config.c:371
#14 0x08081b88 in ap_process_request (r=0x80c0810) at http_request.c:258
#15 0x0807ee2e in ap_process_http_connection (c=0x80c0238) at http_core.c:172
#16 0x0807adb7 in ap_run_process_connection (c=0x80c0238) at connection.c:43
#17 0x08085b64 in child_main (child_num_arg=<value optimized out>) at prefork.c:640
#18 0x08085e5a in make_child (s=<value optimized out>, slot=2) at prefork.c:736
#19 0x08085f1a in startup_children (number_to_start=3) at prefork.c:754
#20 0x08086984 in ap_mpm_run (_pconf=0x80a17c8, plog=0x80aa858, s=0x80ef678) at
prefork.c:975
#21 0x08061d1f in main (argc=134879152, argv=0x0) at main.c:717
Comment 1 William A. Rowe Jr. 2007-05-30 12:37:22 UTC
The scopes are safe (appropriate), but it seems that fast_internal_redirect
(which should die anyways) simply needs an apr_pool_join for the new pool.

Comments?
Comment 2 Ruediger Pluem 2007-05-30 15:13:52 UTC
Maybe I am confused, but we already have apr_pool_join(r->pool, rr->pool); a few
lines above which should do the trick. Is it possible that we have a sub-sub
request here and deal with a table of the main request, so that we have two
generations of pools involved here for which the join trick does not work?
Comment 3 Joachim Zobel 2007-05-30 20:31:11 UTC
(In reply to comment #2)
> Maybe I am confused, but we already have apr_pool_join(r->pool, rr->pool); a few
> lines above which should do the trick. Is it possible that we have a sub-sub
> request here and deal with a table of the main request, so that we have two
> generations of pools involved here for which the join trick does not work?

Probably yes. lang.txt is included (first sub) and the lookup_uri comes from
language negotiation.
Comment 4 Dorian Taylor 2013-06-03 05:40:31 UTC
Created attachment 30377 [details]
Patch to fix SIGABRT from unrelated pools with POOL_DEBUG on

Apply this patch after any patches for CVE-2012-2687.
Comment 5 Dorian Taylor 2013-06-03 05:43:17 UTC
This doesn't just affect includes; it affects any negotiate attempt from a request that is already a subrequest.

Attached is a trivial patch which simply checks if there's a main request and if so, uses that pool instead.
Comment 6 William A. Rowe Jr. 2018-11-07 21:09:39 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.