packages/subversion
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
subversion/backport-CVE-2022-24070.patch
panxiaohe 14f077fe0e fix CVE-2021-28544 CVE-2022-24070
2022-04-22 11:43:26 +08:00

62 lines
2.4 KiB
Diff
Raw Blame History

Description: Fix issue #4880 "Use-after-free of object-pools when used as httpd module"
Ensure that we initialize authz again if the pool which our authz
caches depend on is cleared. Apache HTTPD may run pre/post config
hooks multiple times and clear its global configuration pool which
our authz caching pools depend on.
Reported-by: Thomas Weißschuh (thomas {at} t-8ch dot de)
Thomas has also confirmed that this patch fixes the problem.
* subversion/libsvn_repos/authz.c
(deinit_authz): New pool cleanup handler which resets authz initialization
in case the parent pool of our authz caches is cleared.
(synchronized_authz_initialize): Register new pool cleanup handler.
Author: Stefan Sperling <stsp@apache.org>
Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1894734
Bug: https://issues.apache.org/jira/browse/SVN-4880
Last-Update: 2022-04-04
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/subversion/libsvn_repos/authz.c
+++ b/subversion/libsvn_repos/authz.c
@@ -130,6 +130,30 @@
static svn_object_pool__t *filtered_pool = NULL;
static svn_atomic_t authz_pool_initialized = FALSE;
+/*
+ * Ensure that we will initialize authz again if the pool which
+ * our authz caches depend on is cleared.
+ *
+ * HTTPD may run pre/post config hooks multiple times and clear
+ * its global configuration pool which our authz pools depend on.
+ * This happens in a non-threaded context during HTTPD's intialization
+ * and HTTPD's main loop, so it is safe to reset static variables here.
+ * (And any applications which cleared this pool while SVN threads
+ * were running would crash no matter what.)
+ *
+ * See issue #4880, "Use-after-free of object-pools in
+ * subversion/libsvn_repos/authz.c when used as httpd module"
+ */
+static apr_status_t
+deinit_authz(void *data)
+{
+ /* The two object pools run their own cleanup handlers. */
+ authz_pool = NULL;
+ filtered_pool = NULL;
+ authz_pool_initialized = FALSE;
+ return APR_SUCCESS;
+}
+
/* Implements svn_atomic__err_init_func_t. */
static svn_error_t *
synchronized_authz_initialize(void *baton, apr_pool_t *pool)
@@ -143,6 +167,7 @@
SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
return SVN_NO_ERROR;
}
Reference in New Issue View Git Blame Copy Permalink