[apache2] 03/04: mpm_event: Fix crashes due to various race conditions

Stefan Fritsch sf at moszumanska.debian.org
Sat Aug 8 20:10:44 UTC 2015


This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch jessie
in repository apache2.

commit f13b98375423693d2526c6ee1f40e1bcbe70a216
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Tue Mar 31 22:23:24 2015 +0200

    mpm_event: Fix crashes due to various race conditions
    
    PR 57268
    debian #779078
---
 debian/changelog                    |   1 +
 debian/patches/mpm_event_crash.diff | 138 ++++++++++++++++++++++++++++++++++++
 debian/patches/series               |   1 +
 3 files changed, 140 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 55828a1..5bd0a21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ apache2 (2.4.10-10+deb8u2) UNRELEASED; urgency=medium
   * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
     This could cause all kinds of strange behavior. PR 56008. PR 57328
   * mpm_event: Fix process deadlock when shutting down a worker. PR 56960
+  * mpm_event: Fix crashes due to various race conditions. Closes: #779078
 
  -- Stefan Fritsch <sf at debian.org>  Sat, 08 Aug 2015 22:02:39 +0200
 
diff --git a/debian/patches/mpm_event_crash.diff b/debian/patches/mpm_event_crash.diff
new file mode 100644
index 0000000..e6224c8
--- /dev/null
+++ b/debian/patches/mpm_event_crash.diff
@@ -0,0 +1,138 @@
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779078
+#
+# https://bz.apache.org/bugzilla/show_bug.cgi?id=57268
+#
+# https://svn.apache.org/r1642858
+# https://svn.apache.org/r1645936
+# https://svn.apache.org/r1651656
+# https://svn.apache.org/r1664365
+#
+# Fix mpm_event crashes due to various race conditions
+#
+--- apache2.orig/server/mpm/event/event.c
++++ apache2/server/mpm/event/event.c
+@@ -767,7 +767,21 @@ static void set_signals(void)
+ #endif
+ }
+ 
+-static int start_lingering_close_common(event_conn_state_t *cs)
++static void notify_suspend(event_conn_state_t *cs)
++{
++    ap_run_suspend_connection(cs->c, cs->r);
++    cs->suspended = 1;
++    cs->c->sbh = NULL;
++}
++
++static void notify_resume(event_conn_state_t *cs, ap_sb_handle_t *sbh)
++{
++    cs->c->sbh = sbh;
++    cs->suspended = 0;
++    ap_run_resume_connection(cs->c, cs->r);
++}
++
++static int start_lingering_close_common(event_conn_state_t *cs, int in_worker)
+ {
+     apr_status_t rv;
+     struct timeout_queue *q;
+@@ -798,8 +812,13 @@ static int start_lingering_close_common(
+         cs->pub.state = CONN_STATE_LINGER_NORMAL;
+     }
+     apr_atomic_inc32(&lingering_count);
++    if (in_worker) { 
++        notify_suspend(cs);
++    }
++    else {
++        cs->c->sbh = NULL;
++    }
+     apr_thread_mutex_lock(timeout_mutex);
+-    cs->c->sbh = NULL;
+     TO_QUEUE_APPEND(*q, cs);
+     cs->pfd.reqevents = (
+             cs->pub.sense == CONN_SENSE_WANT_WRITE ? APR_POLLOUT :
+@@ -831,10 +850,11 @@ static int start_lingering_close_common(
+ static int start_lingering_close_blocking(event_conn_state_t *cs)
+ {
+     if (ap_start_lingering_close(cs->c)) {
++        notify_suspend(cs);
+         ap_push_pool(worker_queue_info, cs->p);
+         return 0;
+     }
+-    return start_lingering_close_common(cs);
++    return start_lingering_close_common(cs, 1);
+ }
+ 
+ /*
+@@ -858,7 +878,7 @@ static int start_lingering_close_nonbloc
+         ap_push_pool(worker_queue_info, cs->p);
+         return 0;
+     }
+-    return start_lingering_close_common(cs);
++    return start_lingering_close_common(cs, 0);
+ }
+ 
+ /*
+@@ -882,18 +902,6 @@ static int stop_lingering_close(event_co
+     return 0;
+ }
+ 
+-static void notify_suspend(event_conn_state_t *cs)
+-{
+-    ap_run_suspend_connection(cs->c, cs->r);
+-    cs->suspended = 1;
+-}
+-
+-static void notify_resume(event_conn_state_t *cs)
+-{
+-    cs->suspended = 0;
+-    ap_run_resume_connection(cs->c, cs->r);
+-}
+-
+ /*
+  * This runs before any non-MPM cleanup code on the connection;
+  * if the connection is currently suspended as far as modules
+@@ -904,7 +912,7 @@ static apr_status_t ptrans_pre_cleanup(v
+     event_conn_state_t *cs = dummy;
+ 
+     if (cs->suspended) {
+-        notify_resume(cs);
++        notify_resume(cs, NULL);
+     }
+     return APR_SUCCESS;
+ }
+@@ -1003,9 +1011,10 @@ static void process_socket(apr_thread_t
+     }
+     else {
+         c = cs->c;
+-        c->sbh = sbh;
+-        notify_resume(cs);
++        notify_resume(cs, sbh);
+         c->current_thread = thd;
++        /* Subsequent request on a conn, and thread number is part of ID */
++        c->id = conn_id;
+     }
+ 
+     if (c->clogging_input_filters && !c->aborted) {
+@@ -1083,7 +1092,6 @@ read_request:
+ 
+     if (cs->pub.state == CONN_STATE_LINGER) {
+         start_lingering_close_blocking(cs);
+-        notify_suspend(cs);
+     }
+     else if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) {
+         /* It greatly simplifies the logic to use a single timeout value here
+@@ -1096,7 +1104,6 @@ read_request:
+          */
+         cs->expiration_time = ap_server_conf->keep_alive_timeout +
+                               apr_time_now();
+-        c->sbh = NULL;
+         notify_suspend(cs);
+         apr_thread_mutex_lock(timeout_mutex);
+         TO_QUEUE_APPEND(keepalive_q, cs);
+@@ -1114,7 +1121,6 @@ read_request:
+     }
+     else if (cs->pub.state == CONN_STATE_SUSPENDED) {
+         apr_atomic_inc32(&suspended_count);
+-        c->sbh = NULL;
+         notify_suspend(cs);
+     }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 61ff040..9cd9251 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ CVE-2015-3183-chunk-header-parsing.diff
 CVE-2015-3185-ap_some_auth_required.diff
 define_restarts.diff
 mpm_event_graceful_restart_deadlock.diff
+mpm_event_crash.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git



More information about the Pkg-apache-commits mailing list