You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by yl...@apache.org on 2020/11/23 15:13:15 UTC

svn propchange: r1883750 - svn:log

Author: ylavic
Revision: 1883750
Modified property: svn:log

Modified: svn:log at Mon Nov 23 15:13:15 2020
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Mon Nov 23 15:13:15 2020
@@ -9,3 +9,52 @@ While pool_destroy_debug()=>apr_pool_cle
 pool_destroy_debug() for all the children pools, this does not cause a deadlock
 because apr_pool_clear_debug() locks the parent pool only (not the pool itself)
 and thus pool_destroy_debug(pool->child) locks the current pool with no issue.
+
+This fixes use-after-free like the below in httpd (with -D APR_POOL_DEBUG):
+
+=================================================================
+==2026856==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600025acf0 at pc 0x7fe738f4c5be bp 0x7fe718598110 sp 0x7fe718598108
+READ of size 8 at 0x60600025acf0 thread T51
+    #0 0x7fe738f4c5bd in apr_thread_mutex_lock locks/unix/thread_mutex.c:124
+    #1 0x7fe738f4e01c in apr_pool_walk_tree memory/unix/apr_pools.c:1505
+    #2 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511
+    #3 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511
+    #4 0x7fe738f4e066 in apr_pool_walk_tree memory/unix/apr_pools.c:1511
+    #5 0x7fe738f5027c in apr_pool_find memory/unix/apr_pools.c:2291
+    #6 0x7fe738f14aba in apr_table_mergen tables/apr_tables.c:746
+    #7 0x5578ad926a25 in ap_set_keepalive /home/ylavic/src/apache/httpd/trunk/modules/http/http_protocol.c:309
+    #8 0x5578ad93933f in ap_http_header_filter /home/ylavic/src/apache/httpd/trunk/modules/http/http_filters.c:1376
+    #9 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783
+    #10 0x5578ad9a67f3 in ap_content_length_filter /home/ylavic/src/apache/httpd/trunk/server/protocol.c:2046
+    #11 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783
+    #12 0x5578ad9405ae in ap_byterange_filter /home/ylavic/src/apache/httpd/trunk/modules/http/byterange_filter.c:463
+    #13 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783
+    #14 0x7fe7330e398b in ap_headers_output_filter /home/ylavic/src/apache/httpd/trunk/modules/metadata/mod_headers.c:891
+    #15 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783
+    #16 0x7fe732e32dba in session_output_filter /home/ylavic/src/apache/httpd/trunk/modules/session/mod_session.c:501
+    #17 0x5578ad98f7bd in ap_pass_brigade /home/ylavic/src/apache/httpd/trunk/server/util_filter.c:783
+    #18 0x5578ad9c8ee5 in default_handler /home/ylavic/src/apache/httpd/trunk/server/core.c:5188
+    #19 0x5578ad9431bb in ap_run_handler /home/ylavic/src/apache/httpd/trunk/server/config.c:170
+    #20 0x5578ad944941 in ap_invoke_handler /home/ylavic/src/apache/httpd/trunk/server/config.c:444
+    #21 0x5578ad92cc23 in ap_process_async_request /home/ylavic/src/apache/httpd/trunk/modules/http/http_request.c:463
+    #22 0x5578ad924d7c in ap_process_http_async_connection /home/ylavic/src/apache/httpd/trunk/modules/http/http_core.c:158
+    #23 0x5578ad925410 in ap_process_http_connection /home/ylavic/src/apache/httpd/trunk/modules/http/http_core.c:252
+    #24 0x5578ad97e04d in ap_run_process_connection /home/ylavic/src/apache/httpd/trunk/server/connection.c:42
+    #25 0x7fe735c7ef79 in process_socket /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1097
+    #26 0x7fe735c856a0 in worker_thread /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:2386
+    #27 0x7fe738f7cef4 in dummy_worker threadproc/unix/thread.c:145
+    #28 0x7fe738e3eea6 in start_thread nptl/pthread_create.c:477
+    #29 0x7fe738d6ed4e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfdd4e)
+
+0x60600025acf0 is located 48 bytes inside of 64-byte region [0x60600025acc0,0x60600025ad00)
+freed by thread T63 here:
+    #0 0x7fe7391ed277 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277)
+    #1 0x7fe738f4e9e5 in pool_clear_debug memory/unix/apr_pools.c:1893
+    #2 0x7fe738f4ecb2 in pool_destroy_debug memory/unix/apr_pools.c:1956
+    #3 0x7fe738f4eeeb in apr_pool_destroy_debug memory/unix/apr_pools.c:2002
+    #4 0x5578ada2534b in ap_queue_info_push_pool /home/ylavic/src/apache/httpd/trunk/server/mpm_fdqueue.c:230
+    #5 0x7fe735c81412 in process_lingering_close /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1686
+    #6 0x7fe735c7f9bc in process_socket /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:1255
+    #7 0x7fe735c856a0 in worker_thread /home/ylavic/src/apache/httpd/trunk/server/mpm/event/event.c:2386
+    #8 0x7fe738f7cef4 in dummy_worker threadproc/unix/thread.c:145
+    #9 0x7fe738e3eea6 in start_thread nptl/pthread_create.c:477