[apache2] 02/05: mpm_event: fix use after free

Stefan Fritsch sf at moszumanska.debian.org
Tue Nov 18 14:31:05 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit 962db6cad5211cab44291f6acc896ad4e00aa716
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Tue Nov 18 14:45:25 2014 +0100

    mpm_event: fix use after free
---
 debian/changelog                             |  1 +
 debian/patches/mpm_event_use_after_free.diff | 89 ++++++++++++++++++++++++++++
 debian/patches/series                        |  1 +
 3 files changed, 91 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c3ec3fd..0bcd831 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ apache2 (2.4.10-8) UNRELEASED; urgency=medium
   * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
     script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
     though it does not seem to be exploitable.
+  * mpm_event: Fix use-after-free that may lead to a server crash.
 
  -- Stefan Fritsch <sf at debian.org>  Mon, 17 Nov 2014 00:38:07 +0100
 
diff --git a/debian/patches/mpm_event_use_after_free.diff b/debian/patches/mpm_event_use_after_free.diff
new file mode 100644
index 0000000..aca9b8f
--- /dev/null
+++ b/debian/patches/mpm_event_use_after_free.diff
@@ -0,0 +1,89 @@
+# Avoid using *cs after it is freed
+#
+# http://svn.apache.org/r1638879
+# http://svn.apache.org/r1640031
+--- apache2.orig/server/mpm/event/event.c
++++ apache2/server/mpm/event/event.c
+@@ -814,7 +814,6 @@ static int start_lingering_close_common(
+         TO_QUEUE_REMOVE(*q, cs);
+         apr_thread_mutex_unlock(timeout_mutex);
+         apr_socket_close(cs->pfd.desc.s);
+-        apr_pool_clear(cs->p);
+         ap_push_pool(worker_queue_info, cs->p);
+         return 0;
+     }
+@@ -832,7 +831,6 @@ static int start_lingering_close_common(
+ static int start_lingering_close_blocking(event_conn_state_t *cs)
+ {
+     if (ap_start_lingering_close(cs->c)) {
+-        apr_pool_clear(cs->p);
+         ap_push_pool(worker_queue_info, cs->p);
+         return 0;
+     }
+@@ -857,7 +855,6 @@ static int start_lingering_close_nonbloc
+     if (c->aborted
+         || apr_socket_shutdown(csd, APR_SHUTDOWN_WRITE) != APR_SUCCESS) {
+         apr_socket_close(csd);
+-        apr_pool_clear(cs->p);
+         ap_push_pool(worker_queue_info, cs->p);
+         return 0;
+     }
+@@ -881,7 +878,6 @@ static int stop_lingering_close(event_co
+         ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, APLOGNO(00468) "error closing socket");
+         AP_DEBUG_ASSERT(0);
+     }
+-    apr_pool_clear(cs->p);
+     ap_push_pool(worker_queue_info, cs->p);
+     return 0;
+ }
+@@ -959,8 +955,6 @@ static void process_socket(apr_thread_t
+         c = ap_run_create_connection(p, ap_server_conf, sock,
+                                      conn_id, sbh, cs->bucket_alloc);
+         if (!c) {
+-            apr_bucket_alloc_destroy(cs->bucket_alloc);
+-            apr_pool_clear(p);
+             ap_push_pool(worker_queue_info, p);
+             return;
+         }
+@@ -1239,7 +1233,6 @@ static apr_status_t push2worker(const ap
+         apr_socket_close(cs->pfd.desc.s);
+         ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
+                      ap_server_conf, APLOGNO(00471) "push2worker: ap_queue_push failed");
+-        apr_pool_clear(cs->p);
+         ap_push_pool(worker_queue_info, cs->p);
+     }
+ 
+@@ -1376,7 +1369,6 @@ static void process_lingering_close(even
+     apr_thread_mutex_unlock(timeout_mutex);
+     TO_QUEUE_ELEM_INIT(cs);
+ 
+-    apr_pool_clear(cs->p);
+     ap_push_pool(worker_queue_info, cs->p);
+ }
+ 
+@@ -1697,7 +1689,6 @@ static void * APR_THREAD_FUNC listener_t
+                             ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
+                                          ap_server_conf,
+                                          "ap_queue_push failed");
+-                            apr_pool_clear(ptrans);
+                             ap_push_pool(worker_queue_info, ptrans);
+                         }
+                         else {
+@@ -1705,7 +1696,6 @@ static void * APR_THREAD_FUNC listener_t
+                         }
+                     }
+                     else {
+-                        apr_pool_clear(ptrans);
+                         ap_push_pool(worker_queue_info, ptrans);
+                     }
+                 }
+--- apache2.orig/server/mpm/event/fdqueue.c
++++ apache2/server/mpm/event/fdqueue.c
+@@ -231,6 +231,7 @@ void ap_push_pool(fd_queue_info_t * queu
+         apr_atomic_inc32(&queue_info->recycled_pools_count);
+     }
+ 
++    apr_pool_clear(pool_to_recycle);
+     new_recycle = (struct recycled_pool *) apr_palloc(pool_to_recycle,
+                                                       sizeof (*new_recycle));
+     new_recycle->pool = pool_to_recycle;
diff --git a/debian/patches/series b/debian/patches/series
index 4e784fe..434fcee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ pull_upstream_2.4.x_branch.patch
 # This patch is applied manually
 #suexec-custom.patch
 CVE-2014-3583_mod_proxy_fcgi.diff
+mpm_event_use_after_free.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list