Skip to content

Removed unnecessary lock to call acmp_process_quick in Pm::evaluate #3227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2024
Merged

Removed unnecessary lock to call acmp_process_quick in Pm::evaluate #3227

merged 1 commit into from
Aug 14, 2024

Conversation

eduar-hte
Copy link
Contributor

what

Remove the lock in the Pm operator, which is off by default (it can be enabled with the --enable-mutex-on-pm configure flag, which adds the define for MODSEC_MUTEX_ON_PM) and is not needed.

why

This lock was introduced in commit 119a6fc & 7d786b3 at the same time (and probably because of) issue #1573, where a double-free issue running in a multi-threaded context was reported.

Some time later, it's stated that the lock should not be necessary (see here), and that it should be safe without the mutex (the issue explicitly asks about whether it's necessary for multithreaded environments).

Reviewing commit 119a6fc, it includes two separate changes:

  • It introduces the lock to prevent executing acmp_process_quick in the same instance of the operator at the same time.
  • It moves the call to acmp_prepare from acmp_process_quick to Pm::init.

The second change is significant because it removes (comments out to be precise) the code that could potentially modify the data structure during the execution of acmp_process_quick. The updated version of acmp_process_quick only reads the data structure (which once initialized in Pm::init is not modified afterwards), so it can be safely executed concurrently in a multithreaded context.

This is why the lock is not needed and can be removed.

@eduar-hte
Removed unnecessary lock to call acmp_process_quick in Pm::evaluate
8d6b185 
- This was introduced in commit 119a6fc & 7d786b3 because of a potential
  issue reported in owasp-modsecurity#1573.
- The ACMP tree structure is initialized when the operator is
  initialized.
- During transaction execution the ACMP tree structure is only 'read'
  while traversing the tree (in acmp_process_quick) so this is safe for
  use in a multi-threaded environment.
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@eduar-hte eduar-hte mentioned this pull request Aug 13, 2024
Open
airween
airween approved these changes Aug 14, 2024
View reviewed changes
Copy link
Member

@airween airween left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - great work, thanks!

@airween airween merged commit 554bd30 into owasp-modsecurity:v3/master Aug 14, 2024
49 checks passed
airween added a commit to airween/ModSecurity that referenced this pull request Aug 14, 2024
@airween
Added PR owasp-modsecurity#3227
746f4d7
@eduar-hte eduar-hte deleted the pm-operator-multithreading branch August 14, 2024 12:24
@marcstern marcstern added the 3.x Related to ModSecurity version 3.x label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@airween airween airween approved these changes

Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eduar-hte @airween @marcstern