ModSecurity: Memory leaks with nginx reload (without restart)

When, instead of restarting nginx, one performs a reload of the configuration, memory may leak.

The memory leaks are not large per reload, but if doing so frequently, the free memory reduction will become noticeable. A near-term mitigation is to at least periodically do a true restart.

This issue is being created in lieu of #2502 and others.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 18 (7 by maintainers)

Most upvoted comments

I have identified some leaks when using the --with-lmdb option. I will be addressing those shortly.

[Edit: the issue mentioned here was resolved in #2983 . Note that those leaks are not restricted to rule reload but can occur during each transaction.]

+3
martinhsv on Sep 18, 2023

Hey @martinhsv, modsec library has been built with ./configure --with-pcre2 so PCRE2.

+1
S0obi on Jun 26, 2023

Thanks to all for the ongoing reports

@GNU-Plus-Windows-User : thanks for the specific reference to @pmFromFile.

Interestingly, the suspect functionality seems to have already been noted quite some time ago: https://github.com/SpiderLabs/ModSecurity/blame/b84f32d6f2e2e024cd85d82c6707ce66327eb7d0/src/utils/acmp.cc#L32

… but it had not previously come to my attention.

+1
martinhsv on Jun 12, 2023

I can also confirm the memory leak on reload still exists. personally, I’ve found the memory leak size is based on the number of modsecurity on; and modsecurity_rules_file /path/to/example.conf; directives and the use of @pmFromFile.

+1
GNU-Plus-Windows-User on Jun 12, 2023

Known memory leaks of general application that occur when executing nginx reload have been resolved as of v3.0.9.

I will, however, leave this item open for at least a few weeks to allow for any additional reports.

It is probable that any further memory leaks associated with reload are related to less-commonly used features. Specific information about what sorts of Sec* constructs appear to trigger the effect would be helpful.

+1
martinhsv on Apr 28, 2023

Hello @Volatus ,

The ModSecurity project has not had a practice of doing patch releases for single issues that are separate from accumulated changes in v3/master. When the next 3.0.x release appears, it will almost certainly be from v3/master as that branch appears at that time.

The next release of 3.0.x is tentatively planned for the moderately soon period (by which I mean within 8-10 weeks) – if that is within your definition of ‘soon’. If that is problematically long for you, you could always build ModSecurity yourself from a point in time that includes the commit that you have referenced.

I do, understand, of course, that some installations may have a policy of only allowing use of official releases. If that is the case for you, and the aforementioned timeframe is problematic, I could take that into consideration. But that would have to be weighed against some other factors.

Hi @IanRobertson-wpe ,

Perhaps my response to Volatus answers most of what you are asking about as well.

One other thing I’ll mention is that there is one (smaller) unresolved leak present with common ModSecurity usage. I have a fix for this for which I’ll likely create the PR within a few days.

Thanks for the response. I think we may have a temporary fix that allows us to point to the specific commit that includes the memory leak fix. 8-10 weeks is not bad at all assuming our fix works for the time being.

+1
Volatus on Jan 31, 2023
Read more comments on GitHub
← ModSecurity: memory leak on nginx reload
ModSecurity: ModSecurity collection expirevar does not work →