Bug 1326840 - mod_revocator leaks semaphores
Summary: mod_revocator leaks semaphores
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_revocator
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 7.3
Assignee: Rob Crittenden
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1326841 1364560 1364561
TreeView+ depends on / blocked
 
Reported: 2016-04-13 13:54 UTC by Martin Poole
Modified: 2019-11-14 07:47 UTC (History)
6 users (show)

Fixed In Version: mod_revocator-1.0.3-21.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1326841 1364560 (view as bug list)
Environment:
Last Closed: 2016-11-04 08:34:09 UTC
Target Upstream Version:

Attachments (Terms of Use)
console.log (7.28 KB, text/plain)
2016-09-21 11:48 UTC, Abhijeet Kasurde 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2562 0 normal SHIPPED_LIVE mod_revocator bug fix update 2016-11-03 14:22:33 UTC

Description Martin Poole 2016-04-13 13:54:10 UTC 
Description of problem:

mod_revocator leaks a semaphore every time httpd stops
 
Version-Release number of selected component (if applicable):

mod_revocator-1.0.3-19.el7.x86_64

How reproducible:

always

Steps to Reproduce:
1. restart httpd a few times
2.
3.

Actual results:

number of semaphores owned by apache increases

Expected results:

steady state.

Additional info:

The only instance of marking the semaphore for removal is in the shutdown of crlhelper.  If the helper is not enabled, or even if it is there is no assurance that it will reach the end of the main block before being killed by its parent.

The main code contains the comment

    /* The semaphore is removed in the helper program. This is because that
     * program survives Apache reloads so the semaphore will as well.
     */

but again does not take account of shutdowns.
Comment 2 Rob Crittenden 2016-07-15 15:01:55 UTC 
Am I reading this correctly, the module isn't configured?
Comment 3 Martin Poole 2016-07-15 15:23:46 UTC 
The module is in the default configuration.

    CRLEngine off
    CRLAgeCheck off
    CRLUpdateCritical off
    CRLHelper /usr/libexec/crlhelper


Arguably the code should not be creating the semaphore if the CRLEngine is off.
Comment 4 Rob Crittenden 2016-07-15 15:34:00 UTC 
(In reply to Martin Poole from comment #3)
> Arguably the code should not be creating the semaphore if the CRLEngine is
> off.

Agreed.

It seems a simple workaround is to remove the unused module.
Comment 9 Rob Crittenden 2016-08-08 20:16:24 UTC 
To reproduce:

- yum install mod_revocator (this will pull in all deps)
- ipcs -s (confirm there are no apache semaphores)
- service httpd start
- service httpd stop
- ipcs -s

There will be 2 left-over semaphores. Remove them.

For example:

# ipcs -s
------ Semaphore Arrays --------
key        semid      owner      perms      nsems     
0x00000000 17104896   apache     600        1
0x00000000 17235974   apache     600        1
# ipcrm -s 17104896
# ipcrm -s 17235974
# ipcs -s (confirm there are none)

Install updated mod_nss and mod_revocator packages

- service httpd start
- service httpd stop
- ipcs -s

There should be no semaphores

This is a baseline. You should also enable CRLEngine and configure a CRL and do additional testing to ensure that things are properly cleaned up a shutdown.

Similarly some basic mod_nss testing using some SSL urls would be appropriate as well, particularly with a pin-protected NSS database. This change for mod_nss affects the pin storage helper.
Comment 11 Rob Crittenden 2016-08-09 21:49:34 UTC 
Updated patch to fix segfault issue when shutting down.
Comment 12 Abhijeet Kasurde 2016-09-21 11:46:09 UTC 
Verified using mod_revocator version:
mod_revocator-1.0.3-21.el7

Please find the attachment as verification steps. Marking BZ as verified.
Comment 13 Abhijeet Kasurde 2016-09-21 11:48:07 UTC 
Created attachment 1203239 [details]
console.log
Comment 15 errata-xmlrpc 2016-11-04 08:34:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2562.html
Note You need to log in before you can comment on or make changes to this bug.