Thomas Weißschuh created SVN-4880:
-------------------------------------
Summary: Use-after-free of object-pools in
subversion/libsvn_repos/authz.c when used as httpd module
Key: SVN-4880
URL: https://issues.apache.org/jira/browse/SVN-4880
Project: Subversion
Issue Type: Bug
Components: mod_authz_svn
Affects Versions: 1.14.1
Environment: Alpine Linux 3.14 (musl libc)
Apache httpd 2.4.51.
Reporter: Thomas Weißschuh
We are experiencing crashen when using mod_authz_svn with the
AuthzSVNAccessFile setting.
Every time a request is to be served the respective httpd worker will segfault
immediately.
(A full reproduction setup is posted in the ML thread)
I debugged this down to the following sequence:
mod_authz_svn registers a post_config handler with the httpd core.
This handler will use the memory pool passed as its first argument to set up a
childpool in svn_repos_authz_initialize().
This childpool is then cached in a static variable (authz_pool) and never
updated again because of the caching logic inside svn_repos_authz_initialize().
httpd core however calls the post_config hook multiple times.
(httpd server/main.c line 740 and 807).
In between those calls the memory pool passed to the hook is cleared in line
750.
This means that the static variables in authz.c point to memory of a destroyed
pool.
In our case this memory is reused by another pool leading to use-after-free
issues like these segfaults.
[~stsp] indicated on the ML that similar issues probably also occur in
svn_fs_initialize() and other places.
Source lines for httpd main.c:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
ML discussion: https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
Cc [~stsp]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
