|
From: Breno S. <bre...@gm...> - 2013-02-13 15:51:27
|
Curtis,
Yes. APR pools are not thread safe. I think mpm-event is an experimental
code in Apache 2.2 right ? I think it is stable in Apache 2.4.
Any chance you try to setup one box with Apache 2.4 and see what happens ?
Also what platform are you using ? x86, x86_64 ? Are you using Linux ? Glib
has support to Epoll ?
Thanks
Breno
On Wed, Feb 13, 2013 at 12:53 PM, Curtis Wood <cw...@si...> wrote:
> Hi Breno,
>
> We are using the following rules - with the exception of excluding some
> particular rule ID's or white listing IP's here and there, there isn't
> anything really custom.
>
> /var/asl/rules/10_asl_rules.conf
> /var/asl/rules/20_asl_useragents.conf
> /var/asl/rules/30_asl_antispam.conf
> /var/asl/rules/50_asl_rootkits.conf
> /var/asl/rules/60_asl_recons.conf
> /var/asl/rules/99_asl_jitp.conf
>
> We are using the mpm_event - as opposed to the mpm_prefork which I
> understand is what is not threaded, could this be the underlying issue as
> Rainer mentioned?
>
> Following up with Rainers point, the APR pools are becoming corrupt - I
> dont recall the particular function (there are a few of them) with the
> following loop, all though the node in the linked list is basically
> pointing to it self so, never gets freed up and consequently the loop goes
> on for ever - the 'fix' we implemented originally in libapr was to simply
> add a conditional break statement based on whether "c == c->next"..
>
> (in run_child_cleanups())
>
> while (c) {
> *cref = c->next;
> (*c->child_cleanup_fn)((void *)c->data);
> c = *cref;
>
> }
>
>
> On 02/13/2013 05:55 AM, Breno Silva wrote:
>
> Curtis,
>
> Are you using some custom ruleset ? or using only CRS ?
> Maybe i can copy your configuration/ruleset and try to reproduce, for
> better investigation
>
> Thanks
>
> Breno
>
> On Wed, Feb 13, 2013 at 12:05 AM, Rainer Jung <rai...@ki...>wrote:
>
>> On 12.02.2013 22:26, Curtis Wood wrote:
>> > Hi All,
>> >
>> > We seem to have found a potential issue with mod security - we are using
>> > cPanel along with Apache 2.2.23/mod_security 2.7.1. We noticed a strange
>> > issue with Apache last year where it would be getting caught in an
>> > internal loop with the apr_pool_cleanup routines - essentially trying to
>> > clear the same pool over and over. Initially it was thought to only be
>> > with this customers particular website/setup - although recently we saw
>> > the same issues on our production servers and have verified it is same
>> > issue.
>> >
>> > We have disabled modsec2 fleet wide (2500+ servers) and the problem has
>> > ceased to exist at this time. Unfortunately we have no idea what
>> > triggers this, if it's a particular URL being accessed or what.
>>
>> Pool cleanup loops typically indicate a corruption in the pool data
>> structures due to unsynchronized pool use by multiple threads. APR pools
>> are not thread-safe.
>>
>> Regards,
>>
>> Rainer
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.http://p.sf.net/sfu/sophos-d2d-feb
>
>
>
> _______________________________________________
> mod-security-developers mailing lis...@li...://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:https://www.trustwave.com/spiderLabs.php
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
