Author: svn-role Date: Tue Mar 29 04:01:18 2022 New Revision: 1899339 URL: http://svn.apache.org/viewvc?rev=1899339&view=rev Log: Merge r1894734 from trunk:
* r1894734 Fix issue #4880, "Use-after-free of object-pools when running in httpd" Justification: Subversion should not crash. User complained. Votes: +1: stsp, hartmannathan, rhuijben Modified: subversion/branches/1.14.x/ (props changed) subversion/branches/1.14.x/STATUS subversion/branches/1.14.x/subversion/libsvn_repos/authz.c Propchange: subversion/branches/1.14.x/ ------------------------------------------------------------------------------ Merged /subversion/trunk:r1894734 Modified: subversion/branches/1.14.x/STATUS URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/STATUS?rev=1899339&r1=1899338&r2=1899339&view=diff ============================================================================== --- subversion/branches/1.14.x/STATUS (original) +++ subversion/branches/1.14.x/STATUS Tue Mar 29 04:01:18 2022 @@ -63,13 +63,6 @@ Veto-blocked changes: Approved changes: ================= - * r1894734 - Fix issue #4880, "Use-after-free of object-pools when running in httpd" - Justification: - Subversion should not crash. User complained. - Votes: - +1: stsp, hartmannathan, rhuijben - * r1899227 Don't show unreadable copyfrom paths in 'svn log -v' Justification: Modified: subversion/branches/1.14.x/subversion/libsvn_repos/authz.c URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/subversion/libsvn_repos/authz.c?rev=1899339&r1=1899338&r2=1899339&view=diff ============================================================================== --- subversion/branches/1.14.x/subversion/libsvn_repos/authz.c (original) +++ subversion/branches/1.14.x/subversion/libsvn_repos/authz.c Tue Mar 29 04:01:18 2022 @@ -130,6 +130,30 @@ static svn_object_pool__t *authz_pool = static svn_object_pool__t *filtered_pool = NULL; static svn_atomic_t authz_pool_initialized = FALSE; +/* + * Ensure that we will initialize authz again if the pool which + * our authz caches depend on is cleared. + * + * HTTPD may run pre/post config hooks multiple times and clear + * its global configuration pool which our authz pools depend on. + * This happens in a non-threaded context during HTTPD's intialization + * and HTTPD's main loop, so it is safe to reset static variables here. + * (And any applications which cleared this pool while SVN threads + * were running would crash no matter what.) + * + * See issue #4880, "Use-after-free of object-pools in + * subversion/libsvn_repos/authz.c when used as httpd module" + */ +static apr_status_t +deinit_authz(void *data) +{ + /* The two object pools run their own cleanup handlers. */ + authz_pool = NULL; + filtered_pool = NULL; + authz_pool_initialized = FALSE; + return APR_SUCCESS; +} + /* Implements svn_atomic__err_init_func_t. */ static svn_error_t * synchronized_authz_initialize(void *baton, apr_pool_t *pool) @@ -143,6 +167,7 @@ synchronized_authz_initialize(void *bato SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool)); SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool)); + apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null); return SVN_NO_ERROR; }