[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#822144: marked as done (apache2: Race condition and logical error in apache2 SysV initscript)

Your message dated Sat, 03 Sep 2016 18:17:09 +0000
with message-id <E1bgFV7-0003jJ-Tc@franck.debian.org>
and subject line Bug#822144: fixed in apache2 2.4.10-10+deb8u6
has caused the Debian Bug report #822144,
regarding apache2: Race condition and logical error in apache2 SysV initscript
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

822144: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822144
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.10-10+deb8u4
Severity: important
Tags: patch

Jessie's apache2 SysV init script has two errors which can cause restarts to fail or cause problems on shutdown.

Issue 1: Race condition in do_stop() and apache_wait_stop()

The do_stop() functions issues an apache2ctl stop/graceful-stop (or a killproc) and calls apache_wait_stop() afterwards.
apache_wait_stop() tries to gather the current apache2 PID via pidofproc from the pid file and afterwards checks, if the
process has already terminated (via kill -0). This approach is problematic, because after receiving SIGTERM (via apache2ctl),
apache2 will remove its PID file in the shutdown process. When reaching the pidofproc invocation in apache_wait_stop(),
the PID file may have already been removed (by apache2) and the PID of the main apache process may not be determined
(although the process may yet be actively running). In this case, apache_wait_stop() will wrongly return with 0, indicating
that the process has been terminated successfully.
In most cases, this is not problematic, because the apache2 process will terminate shortly after - however in case of
restarts (which will call do_stop() -> do_start()) this may cause apache2 not being able to start up, because the old
main process is still active and holding resources (like sockets/ports or possibly locks etc.).

To resolve this, apache2ctl/killproc invocation should be done AFTER determining apaches main PID. Note that in Wheezys
initscripts, this race condition was not present - this has been introduced with Jessie.

Issue 2: Logical error in apache_wait_stop()

When waiting for the main PID to terminate, apache_wait_stop() will check every second, if the process is dead. This
is done for 60 seconds max, after that, the inner loop will break and presumably should set/return a statuscode of 2, which
it does not, because 'break' is executed before setting the correct return code:

if [ $i = '60' ]; then

This might cause problems in case apache2 cannot be shut down correctly (for whatever reason).

The following patch should fix the issues mentioned above:

--- apache2.init.org    2015-10-24 10:37:19.000000000 +0200
+++ apache2.init        2016-04-21 14:43:22.380946637 +0200
@@ -139,6 +139,7 @@

 apache_wait_stop() {
        local STATUS=$1
+       local METH=$2

        if [ $STATUS != 0 ] ; then
                return $STATUS
@@ -146,11 +147,18 @@

        PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
        if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
+               if [ "$METH" = "kill" ]; then
+                       killproc -p $PIDFILE $DAEMON
+               else
+                       $APACHE2CTL $METH > /dev/null 2>&1
+               fi
                local i=0
                while kill -0 "${PIDTMP:-}" 2> /dev/null;  do
                        if [ $i = '60' ]; then
+                               STATUS=2
-                               STATUS=2
                        [ "$VERBOSE" != no ] && log_progress_msg "."
                        sleep 1
@@ -223,15 +231,13 @@

        if [ $AP_RET = 2 ] && apache_conftest ; then
-               $APACHE2CTL $STOP > /dev/null 2>&1
-               apache_wait_stop $?
+               apache_wait_stop $? $STOP
                return $?
                if [ $AP_RET = 2 ]; then
-                                       clear_error_msg
+                       clear_error_msg
                        APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now!"
-                       killproc -p $PIDFILE $DAEMON
-                       apache_wait_stop $?
+                       apache_wait_stop $? "kill"
                        return $?
                elif [ $AP_RET = 1 ] ; then
                        APACHE2_INIT_MESSAGE="There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand".

-- Package-specific info:

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.10-10+deb8u4
ii  apache2-data   2.4.10-10+deb8u4
ii  apache2-utils  2.4.10-10+deb8u4
ii  dpkg           1.17.26
ii  lsb-base       4.1+Debian13+nmu1
ii  mime-support   3.58
ii  perl           5.20.2-3+deb8u4
ii  procps         2:3.3.9-9

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.35

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.19-18+deb8u4
ii  libldap-2.4-2            2.4.40+dfsg-1+deb8u2
ii  liblua5.1-0              5.1.5-7.1
ii  libpcre3                 2:8.35-3.3+deb8u4
ii  libssl1.0.0              1.0.1k-3+deb8u4
ii  libxml2                  2.9.1+dfsg1-5+deb8u1
ii  perl                     5.20.2-3+deb8u4
ii  zlib1g                   1:1.2.8.dfsg-2+b1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.10-10+deb8u4
ii  apache2-bin  2.4.10-10+deb8u4

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.10-10+deb8u6

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 822144@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Sun, 07 Aug 2016 12:58:11 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.10-10+deb8u6
Distribution: jessie
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
 apache2.2-common - Transitional package for apache2
 libapache2-mod-macro - Transitional package for apache2-bin
 libapache2-mod-proxy-html - Transitional package for apache2-bin
Closes: 803035 821313 822144 827258 827444 827472
 apache2 (2.4.10-10+deb8u6) jessie; urgency=medium
   * Fix race condition and logical error in init script. Thanks to Thomas
     Stangner for the patch. Closes: #822144
   * Remove links to manpages.debian.org in default index.html to avoid
     broken robots doing a DoS on the site. Closes: #821313
   * mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive
     connections. Closes: #803035
   * mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472
   * Correct systemd-sysv-generator behavior by customizing some parameters.
     This fixes 'systemctl status' returning incorrect results.
     Closes: #827444
   * mod_proxy_html: Add missing config file mods-available/proxy_html.conf.
     This is intentionally not enabled during upgrade, to make it less
     likely to break existing setups. It will be enabled by a a2dismod/a2enmod
     cycle, though. Closes: #827258
 7f4931afd3adf7dfd3a6b4a7bf3faa5b5f87eaa2 3245 apache2_2.4.10-10+deb8u6.dsc
 aad0b12a1b173d2e4f5d398e17ca3c78c61349da 538168 apache2_2.4.10-10+deb8u6.debian.tar.xz
 4d79f65cf9441287047d059d910b197845c92f24 1156 libapache2-mod-proxy-html_2.4.10-10+deb8u6_amd64.deb
 41f76c3de6df73eb2de6a2cbf29f4bf02afc717d 1146 libapache2-mod-macro_2.4.10-10+deb8u6_amd64.deb
 2f8255c93d6a10b5916e15f1491532415d4275c6 207302 apache2_2.4.10-10+deb8u6_amd64.deb
 d1a45b7f1ce37e4c00f7a2381d3399419b9311ac 162636 apache2-data_2.4.10-10+deb8u6_all.deb
 0a9657aae4143dfad2afdca6fcdd9a85022f101c 1032158 apache2-bin_2.4.10-10+deb8u6_amd64.deb
 08cad4e2101d672a9ec3296dab20985e5358b2c3 1520 apache2-mpm-worker_2.4.10-10+deb8u6_amd64.deb
 5b06940e7fc7ce7e42be3f8c15cc7edc08466c45 1520 apache2-mpm-prefork_2.4.10-10+deb8u6_amd64.deb
 8351667a7135a5171eb7f3963e208d7c3732b821 1520 apache2-mpm-event_2.4.10-10+deb8u6_amd64.deb
 a8c75c41571c532da1e5bf16db69c6939f6cab14 1516 apache2-mpm-itk_2.4.10-10+deb8u6_amd64.deb
 73f25d851b961e8aa2c5fcf56defd62891308241 1702 apache2.2-bin_2.4.10-10+deb8u6_amd64.deb
 b8903c50fc213c2c0c86d75f92ca934f9867e286 124802 apache2.2-common_2.4.10-10+deb8u6_amd64.deb
 17f3bd29705d1d6599b04451ba6396e1bbd08deb 195108 apache2-utils_2.4.10-10+deb8u6_amd64.deb
 0d5a3141ceb1595cffed5ad0374dc0d5e2d12cc9 1662 apache2-suexec_2.4.10-10+deb8u6_amd64.deb
 70a8861f3c7b759c03fe19701cd576510b53893c 129974 apache2-suexec-pristine_2.4.10-10+deb8u6_amd64.deb
 66e72ee27e69f339775331fbf743346399de4949 131498 apache2-suexec-custom_2.4.10-10+deb8u6_amd64.deb
 6e6e83e08f79e00faca828719d5b13ccf8eed0ed 2726122 apache2-doc_2.4.10-10+deb8u6_all.deb
 22b868a5ee6e2343ef198ef3247c2535d000ea1f 281212 apache2-dev_2.4.10-10+deb8u6_amd64.deb
 d8aaa3ec20f098a1b7f553bfa4438f9d665b51df 1704046 apache2-dbg_2.4.10-10+deb8u6_amd64.deb
 690946c704cb5062af2c9ed477a96c31ef70621ccff7cffa50c842e36b9b9be3 3245 apache2_2.4.10-10+deb8u6.dsc
 2ec46037cffc7def7216003e32b61b6962fe56d1fa85e51a0993df526690e5d0 538168 apache2_2.4.10-10+deb8u6.debian.tar.xz
 6975fbb3aa52c19aa50e5094893aa3b0e74584445c9caa8f6a67457f3581f385 1156 libapache2-mod-proxy-html_2.4.10-10+deb8u6_amd64.deb
 5be08b0cf981e28b1ddc3410db6724afe0e19e471f97d9fcb9b2a09b1674c335 1146 libapache2-mod-macro_2.4.10-10+deb8u6_amd64.deb
 83ea47400e2663f6e69b1343c04e8f98188a02ac739c9d8654324f33600515fb 207302 apache2_2.4.10-10+deb8u6_amd64.deb
 ce5b79980d45bce9a7cb7045a02e6be4795bb7259f0409f22b12de78db49f16e 162636 apache2-data_2.4.10-10+deb8u6_all.deb
 bb1b502f1547ede2c07d4d0ae2e6479b1fa1d3f30d189b6267d7be4888bd46bb 1032158 apache2-bin_2.4.10-10+deb8u6_amd64.deb
 458c10b8087eeb0549f08c72613625cade6fcc23a421b1e2751f9c10483d64f5 1520 apache2-mpm-worker_2.4.10-10+deb8u6_amd64.deb
 39e96b52a4a9de90d0d909975ee3636ca7835c7cea2eb2b93102e7ffa85327fa 1520 apache2-mpm-prefork_2.4.10-10+deb8u6_amd64.deb
 e68434a82cdf1d22cb1fd879606060d4687d5d7e8ffd79392745c060243d4f50 1520 apache2-mpm-event_2.4.10-10+deb8u6_amd64.deb
 939ae600e40ebed1932d2c5cbc2f7ebc70dbf9e7e45040d61f660b07e475fb09 1516 apache2-mpm-itk_2.4.10-10+deb8u6_amd64.deb
 c10c3908518f511ac8c446620d40590d7aba877c2c5c6214db2140e26e3c0c22 1702 apache2.2-bin_2.4.10-10+deb8u6_amd64.deb
 0503cb137e71f9d7ca26213b4b1fa71bde516a309e11a2a05ad24d0faf947bd5 124802 apache2.2-common_2.4.10-10+deb8u6_amd64.deb
 06263c1c21378e99ccb11b46f396041053885b60be9a908b4a8239aa8d88cc9a 195108 apache2-utils_2.4.10-10+deb8u6_amd64.deb
 0112b6c14c64b22d0e5620e7786cfcf9c17887b06b9632f13b667377b7688ea8 1662 apache2-suexec_2.4.10-10+deb8u6_amd64.deb
 90659f8b47a58a45fa285a3af2a8da6afafca172c796dda2badac9427f90da09 129974 apache2-suexec-pristine_2.4.10-10+deb8u6_amd64.deb
 966f4b9035bd58b8ea9ec8742042c0e5349a0d9e31ed2b133a8a0ccad453e564 131498 apache2-suexec-custom_2.4.10-10+deb8u6_amd64.deb
 fd281db9fbbf054e4b0f930062e8495fff526270f1552cd1c79a5fea01974d63 2726122 apache2-doc_2.4.10-10+deb8u6_all.deb
 2f5ddb45427cdbe127ebef92962d2d60dba57cee9f4b0c345b673902933b7017 281212 apache2-dev_2.4.10-10+deb8u6_amd64.deb
 50bc91fa1fc0c881b2998911f778779e79bce8254dc15d1f307a314bf9384fbb 1704046 apache2-dbg_2.4.10-10+deb8u6_amd64.deb
 eced97002a3188730b65c444c468d985 3245 httpd optional apache2_2.4.10-10+deb8u6.dsc
 2c55fcbc80ee085dd41969417f0b7a72 538168 httpd optional apache2_2.4.10-10+deb8u6.debian.tar.xz
 4d915fe33f78f800565e8128632ce63a 1156 oldlibs extra libapache2-mod-proxy-html_2.4.10-10+deb8u6_amd64.deb
 8cf65ed01a5dc7a9d6768da041ca7d7b 1146 oldlibs extra libapache2-mod-macro_2.4.10-10+deb8u6_amd64.deb
 3d333685699724a353ce401c5f3ea81a 207302 httpd optional apache2_2.4.10-10+deb8u6_amd64.deb
 5e5077d0321a21b288cfaa004d3c8f36 162636 httpd optional apache2-data_2.4.10-10+deb8u6_all.deb
 cb393c86c9d2f2f410fca5b2d787aa29 1032158 httpd optional apache2-bin_2.4.10-10+deb8u6_amd64.deb
 eb9b1c5e92e69665791bbe64747d8c9a 1520 oldlibs extra apache2-mpm-worker_2.4.10-10+deb8u6_amd64.deb
 50b2921cf72da9e8d7c5f9eb723c6181 1520 oldlibs extra apache2-mpm-prefork_2.4.10-10+deb8u6_amd64.deb
 9bebfa1ca6f0cc877922fb7525e91466 1520 oldlibs extra apache2-mpm-event_2.4.10-10+deb8u6_amd64.deb
 31ffc8fa75569cc2fb442e6c8919b79e 1516 oldlibs extra apache2-mpm-itk_2.4.10-10+deb8u6_amd64.deb
 b997b15cd5cd0a2b6c07ca0e8f69642d 1702 oldlibs extra apache2.2-bin_2.4.10-10+deb8u6_amd64.deb
 51356b6c2787ba286d4ed0fe190ccb2a 124802 oldlibs extra apache2.2-common_2.4.10-10+deb8u6_amd64.deb
 47652a3b7b9f9f2cb270c2eed53336be 195108 httpd optional apache2-utils_2.4.10-10+deb8u6_amd64.deb
 6b398b32bbcfd10c92066f85686c441b 1662 oldlibs extra apache2-suexec_2.4.10-10+deb8u6_amd64.deb
 43044a8bec66b598176ec71f871d79c9 129974 httpd optional apache2-suexec-pristine_2.4.10-10+deb8u6_amd64.deb
 04522210f35afcaae5253bd8bb42cd79 131498 httpd extra apache2-suexec-custom_2.4.10-10+deb8u6_amd64.deb
 f726fd58fa7c774aadf1b54f849a6684 2726122 doc optional apache2-doc_2.4.10-10+deb8u6_all.deb
 fe6b3213f0508f3a07c6c4d179ee8931 281212 httpd optional apache2-dev_2.4.10-10+deb8u6_amd64.deb
 0ad98198acbb2e8f575019e9f845a0f4 1704046 debug extra apache2-dbg_2.4.10-10+deb8u6_amd64.deb



--- End Message ---

Reply to: