Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4880

Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.14.1
    • 1.15, 1.14.2, 1.10.8
    • mod_authz_svn
    • None
    • Alpine Linux 3.14 (musl libc)
      Apache httpd 2.4.51.


      We are experiencing crashen when using mod_authz_svn with the AuthzSVNAccessFile setting.
      Every time a request is to be served the respective httpd worker will segfault immediately.
      (A full reproduction setup is posted in the ML thread)

      I debugged this down to the following sequence:

      mod_authz_svn registers a post_config handler with the httpd core.
      This handler will use the memory pool passed as its first argument to set up a childpool in svn_repos_authz_initialize().
      This childpool is then cached in a static variable (authz_pool) and never updated again because of the caching logic inside svn_repos_authz_initialize().

      httpd core however calls the post_config hook multiple times.
      (httpd server/main.c line 740 and 807).
      In between those calls the memory pool passed to the hook is cleared in line 750.

      This means that the static variables in authz.c point to memory of a destroyed pool.
      In our case this memory is reused by another pool leading to use-after-free issues like these segfaults.

      stsp indicated on the ML that similar issues probably also occur in svn_fs_initialize() and other places.

      Source lines for httpd main.c: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/main.c?view=markup&pathrev=1874286
      ML discussion: https://lists.apache.org/thread/lvrbx4dd39cxc4dq52rn7zzb7hzcr0po
      Cc stsp




            Unassigned Unassigned
            t-8ch Thomas WeiƟschuh
            0 Vote for this issue
            3 Start watching this issue