You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@subversion.apache.org by "Thomas Weißschuh (Jira)" <ji...@apache.org> on 2021/11/04 08:21:00 UTC

[jira] [Commented] (SVN-4880) Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module

    [ https://issues.apache.org/jira/browse/SVN-4880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17438548#comment-17438548 ] 

Thomas Weißschuh commented on SVN-4880:
---------------------------------------

I was able to work around the issue in two different ways.

 

1) Remove the caching logic in authz.c. This is easy to do but still leaves the possibility of invalid object accesses when the pool is freed but the post_config hook is not executed again.

2) Extend svn_object_pool to allow users to register cleanup hooks via apr_pool_cleanup_register() and use that from authz.c to forget the caches.

> Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module
> -------------------------------------------------------------------------------------------
>
>                 Key: SVN-4880
>                 URL: https://issues.apache.org/jira/browse/SVN-4880
>             Project: Subversion
>          Issue Type: Bug
>          Components: mod_authz_svn
>    Affects Versions: 1.14.1
>         Environment: Alpine Linux 3.14 (musl libc)
> Apache httpd 2.4.51.
>            Reporter: Thomas Weißschuh
>            Priority: Major
>
> We are experiencing crashen when using mod_authz_svn with the AuthzSVNAccessFile setting.
> Every time a request is to be served the respective httpd worker will segfault immediately.
> (A full reproduction setup is posted in the ML thread)
> I debugged this down to the following sequence:
> mod_authz_svn registers a post_config handler with the httpd core.
> This handler will use the memory pool passed as its first argument to set up a childpool in svn_repos_authz_initialize().
> This childpool is then cached in a static variable (authz_pool) and never updated again because of the caching logic inside svn_repos_authz_initialize().
> httpd core however calls the post_config hook multiple times.
> (httpd server/main.c line 740 and 807).
> In between those calls the memory pool passed to the hook is cleared in line 750.
> This means that the static variables in authz.c point to memory of a destroyed pool.
> In our case this memory is reused by another pool leading to use-after-free issues like these segfaults.
> [~stsp] indicated on the ML that similar issues probably also occur in svn_fs_initialize() and other places.
> Source lines for httpd main.c: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
> ML discussion: https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
> Cc [~stsp]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)