[jira] [Commented] (SVN-4880) Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module

Thu, 04 Nov 2021 08:03:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SVN-4880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17438774#comment-17438774
 ] 

Thomas Weißschuh commented on SVN-4880:
---------------------------------------

[~stsp] Thanks for the excellent support!

Do you want me to close the ticket or do you want to keep it open until the fix 
is released?

(Feel free to close it, too)

> Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used 
> as httpd module
> -------------------------------------------------------------------------------------------
>
>                 Key: SVN-4880
>                 URL: https://issues.apache.org/jira/browse/SVN-4880
>             Project: Subversion
>          Issue Type: Bug
>          Components: mod_authz_svn
>    Affects Versions: 1.14.1
>         Environment: Alpine Linux 3.14 (musl libc)
> Apache httpd 2.4.51.
>            Reporter: Thomas Weißschuh
>            Priority: Major
>
> We are experiencing crashen when using mod_authz_svn with the 
> AuthzSVNAccessFile setting.
> Every time a request is to be served the respective httpd worker will 
> segfault immediately.
> (A full reproduction setup is posted in the ML thread)
> I debugged this down to the following sequence:
> mod_authz_svn registers a post_config handler with the httpd core.
> This handler will use the memory pool passed as its first argument to set up 
> a childpool in svn_repos_authz_initialize().
> This childpool is then cached in a static variable (authz_pool) and never 
> updated again because of the caching logic inside 
> svn_repos_authz_initialize().
> httpd core however calls the post_config hook multiple times.
> (httpd server/main.c line 740 and 807).
> In between those calls the memory pool passed to the hook is cleared in line 
> 750.
> This means that the static variables in authz.c point to memory of a 
> destroyed pool.
> In our case this memory is reused by another pool leading to use-after-free 
> issues like these segfaults.
> [~stsp] indicated on the ML that similar issues probably also occur in 
> svn_fs_initialize() and other places.
> Source lines for httpd main.c: 
> https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
> ML discussion: 
> https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
> Cc [~stsp]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to