[jira] [Closed] (SVN-4880) Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module

Tue, 12 Apr 2022 12:21:08 -0700 


     [ 
https://issues.apache.org/jira/browse/SVN-4880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nathan Hartman closed SVN-4880.
-------------------------------
    Fix Version/s: 1.14.2
                   1.10.8
       Resolution: Fixed

This bug is also known as 
[CVE-2022-24070|https://subversion.apache.org/security/CVE-2022-24070-advisory.txt].

It is fixed as of 1.10.8 and 1.14.2.

> Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used 
> as httpd module
> -------------------------------------------------------------------------------------------
>
>                 Key: SVN-4880
>                 URL: https://issues.apache.org/jira/browse/SVN-4880
>             Project: Subversion
>          Issue Type: Bug
>          Components: mod_authz_svn
>    Affects Versions: 1.14.1
>         Environment: Alpine Linux 3.14 (musl libc)
> Apache httpd 2.4.51.
>            Reporter: Thomas Weißschuh
>            Priority: Major
>             Fix For: 1.15, 1.14.2, 1.10.8
>
>
> We are experiencing crashen when using mod_authz_svn with the 
> AuthzSVNAccessFile setting.
> Every time a request is to be served the respective httpd worker will 
> segfault immediately.
> (A full reproduction setup is posted in the ML thread)
> I debugged this down to the following sequence:
> mod_authz_svn registers a post_config handler with the httpd core.
> This handler will use the memory pool passed as its first argument to set up 
> a childpool in svn_repos_authz_initialize().
> This childpool is then cached in a static variable (authz_pool) and never 
> updated again because of the caching logic inside 
> svn_repos_authz_initialize().
> httpd core however calls the post_config hook multiple times.
> (httpd server/main.c line 740 and 807).
> In between those calls the memory pool passed to the hook is cleared in line 
> 750.
> This means that the static variables in authz.c point to memory of a 
> destroyed pool.
> In our case this memory is reused by another pool leading to use-after-free 
> issues like these segfaults.
> [~stsp] indicated on the ML that similar issues probably also occur in 
> svn_fs_initialize() and other places.
> Source lines for httpd main.c: 
> https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
> ML discussion: 
> https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
> Cc [~stsp]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to