You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@subversion.apache.org by "Daniel Sahlberg (Jira)" <ji...@apache.org> on 2022/01/06 22:21:00 UTC

[jira] [Updated] (SVN-4880) Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module

     [ https://issues.apache.org/jira/browse/SVN-4880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Sahlberg updated SVN-4880:
---------------------------------
    Fix Version/s: 1.15

> Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module
> -------------------------------------------------------------------------------------------
>
>                 Key: SVN-4880
>                 URL: https://issues.apache.org/jira/browse/SVN-4880
>             Project: Subversion
>          Issue Type: Bug
>          Components: mod_authz_svn
>    Affects Versions: 1.14.1
>         Environment: Alpine Linux 3.14 (musl libc)
> Apache httpd 2.4.51.
>            Reporter: Thomas Weißschuh
>            Priority: Major
>             Fix For: 1.15
>
>
> We are experiencing crashen when using mod_authz_svn with the AuthzSVNAccessFile setting.
> Every time a request is to be served the respective httpd worker will segfault immediately.
> (A full reproduction setup is posted in the ML thread)
> I debugged this down to the following sequence:
> mod_authz_svn registers a post_config handler with the httpd core.
> This handler will use the memory pool passed as its first argument to set up a childpool in svn_repos_authz_initialize().
> This childpool is then cached in a static variable (authz_pool) and never updated again because of the caching logic inside svn_repos_authz_initialize().
> httpd core however calls the post_config hook multiple times.
> (httpd server/main.c line 740 and 807).
> In between those calls the memory pool passed to the hook is cleared in line 750.
> This means that the static variables in authz.c point to memory of a destroyed pool.
> In our case this memory is reused by another pool leading to use-after-free issues like these segfaults.
> [~stsp] indicated on the ML that similar issues probably also occur in svn_fs_initialize() and other places.
> Source lines for httpd main.c: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
> ML discussion: https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
> Cc [~stsp]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)