Skip to content

Modsecurity v2.9.3 causes handle leak in Apache httpd #2181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Elavarasan83 opened this issue Oct 9, 2019 · 14 comments
Closed

Modsecurity v2.9.3 causes handle leak in Apache httpd #2181

Elavarasan83 opened this issue Oct 9, 2019 · 14 comments
Labels
2.x Related to ModSecurity version 2.x

Comments

@Elavarasan83
Copy link

Handle count is increasing in Apache httpd.
The behavior is seen with the environment:
OS: Windows 10 x64
Modsecurity: v2.9.3
Apache: v2.4.38 (or) v2.4.41

Upon using the process explorer, I found that 'NT AUTHORITY\SYSTEM:3e7' handle is frequently allotted and not released.
image
@zimmerle
Copy link
Contributor

Hi @Elavarasan83,

Can you give further details on the loaded rules? what if the rules are not loaded? do we still have the leak?

@zimmerle zimmerle added the 2.x Related to ModSecurity version 2.x label Oct 10, 2019
@Elavarasan83
Copy link
Author

Elavarasan83 commented Oct 11, 2019
edited
Loading

Hi @zimmerle

Thanks for the response.
If rules are not loaded then there is no leak.
The moment Apache server receives the request from the client then 'NT AUTHORITY\SYSTEM:3e7' handle leak kicks off.
Here is the rule configuration section in httpd.conf
<IfModule security2_module>
Include /Apache/conf/crs/crs-setup.conf
Include /Apache/conf/crs/rules/*.conf
SecRuleRemoveById 920350
</IfModule>

Note:
If I use previous version of Modsecurity(v2.9.1) then there is no leak (even if the rules are loaded). I don't see 'NT AUTHORITY\SYSTEM:3e7' handle being allocated.

@radboud-asselman
Copy link

radboud-asselman commented Apr 16, 2020
edited
Loading

Hi @Elavarasan83 ,
We are experiencing the same problem. I downgraded mod-security to 2.9.1 and the handle leak is gone.
I'm running Apache 2.4.43 (ApacheLounge bins) on Windows 2016 Std EN. We even try the workaround with the directive MaxConnectionsPerChild. This works, but at some point httpd.exe child crashes and results Apache to be unresponsive.

Will this be fixed, the leaking handles?

@marcstern
Copy link

Did you try with the trunk version?

@radboud-asselman
Copy link

Did you try with the trunk version?

No, we did not. We only use the bins available at ApacheLounge.

@marcstern
Copy link

I've been working on several memory leaks, especially in WIndows builds, in the latest months. Most of them are in the trunk. Some not (i.e. #2208).
I can publish our latest build to try, then you can ask to ApacheLounge to include them if it solves the problem.
Contact me in MP if you want this.

@zimmerle
Copy link
Contributor

zimmerle commented May 6, 2020

@marcstern please share with the community in a format of a pull request, so it will be available to everybody. Having a pull request, we can make sure that it is passing all the regression and unit tests.

@marcstern
Copy link

As I have the impression that v2 is not considered anymore (several trivial PR related to memory problems, mine related to the JSON standard), I must admit I'm not very motivated to take the time for a PR each time.
I'll continue to give all my fixes & findings to the community as usual but, in my current overloaded situation, I don't think I'll formalize them too much.
Obviously, if I see things evolving, I'll change my mind ...

@zimmerle
Copy link
Contributor

zimmerle commented May 8, 2020

I am sorry to hear that but you got the wrong impression. Version 2 is still maintained. Back in December 2.9.3 was released.

Providing pull requests is the best way for you to contribute to the community. The fact that it was not yet merged does not mean that it is putting aside, that is the wrong impressions. Let's say that if the pull request was there @radboud-asselman, @Elavarasan83, and others who may hit with that same issue, will be able to test and provide feedback on your patch. That will be for the benefit of everybody.

@leancz
Copy link

leancz commented Mar 17, 2021

I am also seeing a handles leak. I narrowed it down to OWASP rule 901321.
Windows 2016, Apache 2.4.46, ModSecurity for Apache/2.9.3 (actual v2/master from github)
With rule 901321 - handles leak. Rule 901321 commented out: no handles leak.

@zimmerle
Copy link
Contributor

@leancz Thanks for narrow down to one rule. For the reference -

SecAction \
    "id:901321,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.2.0',\
    initcol:global=global,\
    initcol:ip=%{remote_addr}_%{tx.ua_hash},\
    setvar:'tx.real_ip=%{remote_addr}'"

@olivermoellmann
Copy link

The token handle leak is not caused by ModSecurity directly but by function apr_uid_current (userinfo.c) from APR library. In version 2.9.3 apr_uid_current is called from function collection_retrieve_ex (persist_dbm.c). It was added with the following commit.

a3dc602

There is already a fix in APR trunk version.

apache/apr@71d0990

@SteffenAL
Copy link

Made a new libapr-1.dll available with the handle fix at https://www.apachelounge.com/viewtopic.php?t=8808

@martinhsv
Copy link
Contributor

Given the updates from @olivermoellmann and @SteffenAL (Thank, both, BTW), I'm presuming that there is no further value in keeping this item open for the ModSecurity project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@zimmerle @leancz @marcstern @Elavarasan83 @SteffenAL @radboud-asselman @martinhsv @olivermoellmann