[apache2] 02/05: mpm_event: fix use after free
Stefan Fritsch
sf at moszumanska.debian.org
Tue Nov 18 14:31:05 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 962db6cad5211cab44291f6acc896ad4e00aa716
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Nov 18 14:45:25 2014 +0100
mpm_event: fix use after free
---
debian/changelog | 1 +
debian/patches/mpm_event_use_after_free.diff | 89 ++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 91 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c3ec3fd..0bcd831 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ apache2 (2.4.10-8) UNRELEASED; urgency=medium
* mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
though it does not seem to be exploitable.
+ * mpm_event: Fix use-after-free that may lead to a server crash.
-- Stefan Fritsch <sf at debian.org> Mon, 17 Nov 2014 00:38:07 +0100
diff --git a/debian/patches/mpm_event_use_after_free.diff b/debian/patches/mpm_event_use_after_free.diff
new file mode 100644
index 0000000..aca9b8f
--- /dev/null
+++ b/debian/patches/mpm_event_use_after_free.diff
@@ -0,0 +1,89 @@
+# Avoid using *cs after it is freed
+#
+# http://svn.apache.org/r1638879
+# http://svn.apache.org/r1640031
+--- apache2.orig/server/mpm/event/event.c
++++ apache2/server/mpm/event/event.c
+@@ -814,7 +814,6 @@ static int start_lingering_close_common(
+ TO_QUEUE_REMOVE(*q, cs);
+ apr_thread_mutex_unlock(timeout_mutex);
+ apr_socket_close(cs->pfd.desc.s);
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ return 0;
+ }
+@@ -832,7 +831,6 @@ static int start_lingering_close_common(
+ static int start_lingering_close_blocking(event_conn_state_t *cs)
+ {
+ if (ap_start_lingering_close(cs->c)) {
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ return 0;
+ }
+@@ -857,7 +855,6 @@ static int start_lingering_close_nonbloc
+ if (c->aborted
+ || apr_socket_shutdown(csd, APR_SHUTDOWN_WRITE) != APR_SUCCESS) {
+ apr_socket_close(csd);
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ return 0;
+ }
+@@ -881,7 +878,6 @@ static int stop_lingering_close(event_co
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, APLOGNO(00468) "error closing socket");
+ AP_DEBUG_ASSERT(0);
+ }
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ return 0;
+ }
+@@ -959,8 +955,6 @@ static void process_socket(apr_thread_t
+ c = ap_run_create_connection(p, ap_server_conf, sock,
+ conn_id, sbh, cs->bucket_alloc);
+ if (!c) {
+- apr_bucket_alloc_destroy(cs->bucket_alloc);
+- apr_pool_clear(p);
+ ap_push_pool(worker_queue_info, p);
+ return;
+ }
+@@ -1239,7 +1233,6 @@ static apr_status_t push2worker(const ap
+ apr_socket_close(cs->pfd.desc.s);
+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
+ ap_server_conf, APLOGNO(00471) "push2worker: ap_queue_push failed");
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ }
+
+@@ -1376,7 +1369,6 @@ static void process_lingering_close(even
+ apr_thread_mutex_unlock(timeout_mutex);
+ TO_QUEUE_ELEM_INIT(cs);
+
+- apr_pool_clear(cs->p);
+ ap_push_pool(worker_queue_info, cs->p);
+ }
+
+@@ -1697,7 +1689,6 @@ static void * APR_THREAD_FUNC listener_t
+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
+ ap_server_conf,
+ "ap_queue_push failed");
+- apr_pool_clear(ptrans);
+ ap_push_pool(worker_queue_info, ptrans);
+ }
+ else {
+@@ -1705,7 +1696,6 @@ static void * APR_THREAD_FUNC listener_t
+ }
+ }
+ else {
+- apr_pool_clear(ptrans);
+ ap_push_pool(worker_queue_info, ptrans);
+ }
+ }
+--- apache2.orig/server/mpm/event/fdqueue.c
++++ apache2/server/mpm/event/fdqueue.c
+@@ -231,6 +231,7 @@ void ap_push_pool(fd_queue_info_t * queu
+ apr_atomic_inc32(&queue_info->recycled_pools_count);
+ }
+
++ apr_pool_clear(pool_to_recycle);
+ new_recycle = (struct recycled_pool *) apr_palloc(pool_to_recycle,
+ sizeof (*new_recycle));
+ new_recycle->pool = pool_to_recycle;
diff --git a/debian/patches/series b/debian/patches/series
index 4e784fe..434fcee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ pull_upstream_2.4.x_branch.patch
# This patch is applied manually
#suexec-custom.patch
CVE-2014-3583_mod_proxy_fcgi.diff
+mpm_event_use_after_free.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list