[Bug 224945] [NEW] memory leaks in apache2 when running mod_ssl

Jamie Strandboge jamie at ubuntu.com
Wed Apr 30 22:41:42 BST 2008 

Public bug reported:

Binary package hint: apache2

The following came in an email to security at ubuntu.com.  I asked the
sender to file a report, but it hasn't happened yet, so I am filing it
on his behalf (essentially pasting the email here).

--- EMAIL FROM USER ---
After upgrading our servers from Ubuntu 6.06 to Ubuntu 8.04 we started seeing MASSIVE memory leaks in Apache 2.2 (mpm-worker). Before decreasing MaxRequestsPerChild we actually got kernel panic OOMs so in our view this is a serious DenialOfSerivce vulnerability.

I have spent some time debugging the issue using valgrind and some
custom debugging printf's and I have so far concluded that it is related
to SSLv3/TLSv1 zlib compression.

How to reproduce the leak:
(1) Set up a SSL-enabled host in Apache2.2. Session cache and the like does not seem to matter, but make sure that the childs run long enough to notice the leak.

(2) Verify that zlib compression is enabled:
$ openssl s_client -tls1 -connect host:port

(3) Flood the host  with compression enabled requests (no SSLv2):
$ ab -n x -c y -f tls1 https://XXX

Valgrind indicates that the leak occurs inside crypto/comp/c_zlib.c in
libssl0.9.8g:

static int zlib_stateful_init(COMP_CTX *ctx)
        {
        int err;
        struct zlib_state *state =
->              (struct zlib_state *)OPENSSL_malloc(sizeof(struct
zlib_state));

My debugging printf's seem to indicate that (in the same file):

static void zlib_stateful_finish(COMP_CTX *ctx)

is called correctly, but

static void zlib_stateful_free_ex_data(...)

which is supposed to free the zlib_state allocation is never called.

The zlib_stateful_free_ex_data function seems to be called when I use
openssl s_server instead of Apache as the SSL server.  I am therefore
not completely sure whether the root of this bug is in apache or
openssl.

BTW, bug #186339 looks like it is the same issue.

** Affects: apache2 (Ubuntu)
     Importance: High
         Status: New

** Summary changed:

- memory leaks when running mod_ssl
+ memory leaks in apache2 when running mod_ssl

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => High

-- 
memory leaks in apache2 when running mod_ssl
https://bugs.launchpad.net/bugs/224945
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.

More information about the Ubuntu-server-bugs mailing list