Package: subversion / 1.14.1-3+deb11u1

Fix-issue-4880-Use-after-free-of-object-pools-when-used-a.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
From: Stefan Sperling <stsp@apache.org>
Date: Thu, 4 Nov 2021 14:53:30 +0000
Subject: Fix issue #4880 "Use-after-free of object-pools when used as httpd
 module"
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Ensure that we initialize authz again if the pool which our authz
caches depend on is cleared. Apache HTTPD may run pre/post config
hooks multiple times and clear its global configuration pool which
our authz caching pools depend on.

Reported-by: Thomas Weißschuh (thomas {at} t-8ch dot de)

Thomas has also confirmed that this patch fixes the problem.

* subversion/libsvn_repos/authz.c
  (deinit_authz): New pool cleanup handler which resets authz initialization
   in case the parent pool of our authz caches is cleared.
  (synchronized_authz_initialize): Register new pool cleanup handler.

git-svn-id: https://svn.apache.org/repos/asf/subversion/trunk@1894734 13f79535-47bb-0310-9956-ffa450edef68
Signed-off-by: James McCoy <jamessan@debian.org>
---
 subversion/libsvn_repos/authz.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/subversion/libsvn_repos/authz.c b/subversion/libsvn_repos/authz.c
index 0a47a09..a69441f 100644
--- a/subversion/libsvn_repos/authz.c
+++ b/subversion/libsvn_repos/authz.c
@@ -130,6 +130,30 @@ static svn_object_pool__t *authz_pool = NULL;
 static svn_object_pool__t *filtered_pool = NULL;
 static svn_atomic_t authz_pool_initialized = FALSE;
 
+/*
+ * Ensure that we will initialize authz again if the pool which
+ * our authz caches depend on is cleared.
+ *
+ * HTTPD may run pre/post config hooks multiple times and clear
+ * its global configuration pool which our authz pools depend on.
+ * This happens in a non-threaded context during HTTPD's intialization
+ * and HTTPD's main loop, so it is safe to reset static variables here.
+ * (And any applications which cleared this pool while SVN threads
+ * were running would crash no matter what.)
+ *
+ * See issue #4880, "Use-after-free of object-pools in
+ * subversion/libsvn_repos/authz.c when used as httpd module"
+ */
+static apr_status_t
+deinit_authz(void *data)
+{
+  /* The two object pools run their own cleanup handlers. */
+  authz_pool = NULL;
+  filtered_pool = NULL;
+  authz_pool_initialized = FALSE;
+  return APR_SUCCESS;
+}
+
 /* Implements svn_atomic__err_init_func_t. */
 static svn_error_t *
 synchronized_authz_initialize(void *baton, apr_pool_t *pool)
@@ -143,6 +167,7 @@ synchronized_authz_initialize(void *baton, apr_pool_t *pool)
   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
 
+  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
   return SVN_NO_ERROR;
 }