[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Fix possible crash in svn_fs_fs__lock() / svn_fs_fs__unlock()

From: Sergey Raevskiy <sergey.raevskiy_at_visualsvn.com>
Date: Wed, 4 Feb 2015 22:12:58 +0300

Hi!

Recenty I've discovered possible crash in FSFS locking code. If, for some
reason, 'write-lock' cannot be obtained for lock/unlock operation, the FSFS
will SEGFAULT.

This happens beacuse lb.infos field is getting initialized only in function
lock_body() (see the code below). So, if svn_fs_fs__with_write_lock() fails
without actual invoking the lock_body(), lb.infos will be left uninitialized.

[[[
svn_error_t *
svn_fs_fs__lock(svn_fs_t *fs,

  ...

  struct lock_baton lb;

  ...

  lb.fs = fs;
  lb.targets = sorted_targets;
  lb.comment = comment;
  lb.is_dav_comment = is_dav_comment;
  lb.expiration_date = expiration_date;
  lb.steal_lock = steal_lock;
  lb.result_pool = result_pool;

  err = svn_fs_fs__with_write_lock(fs, lock_body, &lb, scratch_pool);
  for (i = 0; i < lb.infos->nelts; ++i)
    {

  ...
]]]

The same thing with svn_fs_fs__unlock().

I've attached the patch with crashing test and simple fix for this issue.

Log message:
[[[
Fix possible crash in svn_fs_fs__lock() / svn_fs_fs__unlock().

* subversion/subversion/tests/libsvn_fs/locks-test.c
  (obtain_write_lock_failure_test): New; test for the issue.

* subversion/subversion/libsvn_fs_fs/lock.c
  (lock_body,
   svn_fs_fs__lock): Initialize the lb.infos field before calling to
                     svn_fs_fs__with_write_lock().
  (unlock_body,
   svn_fs_fs__unlock): Same.

Patch by: Sergey Raevskiy <sergey.raevskiy{_AT_}visualsvn.com>
]]]

Received on 2015-02-04 20:13:28 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.