On 2021-11-03 16:34+0100, Stefan Sperling wrote: > On Wed, Nov 03, 2021 at 04:21:34PM +0100, Thomas Weißschuh wrote: > > Hi everybody, > > > > While investigating persistent segmentation faults in mod_dav_svn I found > > invalid uses of objectpools in subversion/libsnv_repos/authz.c. > > > > In svn_repos_authz_initialize() the objectpools passed in during the > > configuration phase are stored in static variables. > > For some reason the configuration phase runs multiple times and the > > previously > > used objectpools are freed. > > > > Because cached references to these freed objectpools are still used inside > > authz.c accesses to that memory will read invalid data from other parts of > > Apache, leading to segmentation faults. > > > > Maybe the issue happens especially on Alpine Linux because they are using > > musl > > libc with its own memory allocator which may behave differently than glibc > > and > > more directly reuse freed memory. > > > > I was able to work around the issue by removing the caching logic in > > svn_repos_authz_initialize() and always call > > synchronized_authz_initialize(). > > > > Thanks, > > Thomas > > I guess this means the implemention of apr_atomic_cas32() is not working > correctly on your system? svn_atomic__init_once() relies on this.
The svn_atomic__init_once() inside svn_repos_authz_initialize() seems to work correctly. synchronized_authz_initialize() is only executed once. I am arguing that it should *not* be executed only once because the pools that it gets called with the first time will be invalid when it is called the second time. So it should rebuild authz_pool with the new parent pool. Replacing the call through svn_atomic__init_once() with an unconditional call makes the issue go away. > There are regression tests for atomics in APR. > You could try to run these tests to see if there are any failures. > If broken atomics turn out to be the root cause of this problem > then please file an issue with the APR project instead. I'll try that, too. But as explained above it does not seem likely to me. Thanks, Thomas
