[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: heap-use-after-free in object_ref_cleanup

From: Orivej Desh <orivej_at_gmx.fr>
Date: Mon, 29 May 2017 03:45:10 +0000

* Stefan Fuhrmann <stefan2_at_apache.org> [2017-05-28]
> The callstacks suggests that this is a pool cleanup race.
> Please try the attached patch and report the results.

Thanks! With this patch subversion from trunk no longer crashes, and
subversion 1.9.5 does not crash with an empty config, and crashes
differently with a config containing `authz-db'.

(Please CC me in response.)

==909821==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000002540 at pc 0x0000009b6109 bp 0x7ffd4d8df8d0 sp 0x7ffd4d8df8c8
READ of size 8 at 0x606000002540 thread T0
    #0 0x9b6108 in object_ref_cleanup //subversion/subversion/libsvn_subr/object_pool.c:148:45
    #1 0x63d760 in run_cleanups //apr/memory/unix/apr_pools.c:2629:9
    #2 0x639245 in pool_clear_debug //apr/memory/unix/apr_pools.c:1820:5
    #3 0x6397f8 in pool_destroy_debug //apr/memory/unix/apr_pools.c:1915:5
    #4 0x6392ec in pool_clear_debug //apr/memory/unix/apr_pools.c:1827:9
    #5 0x6397f8 in pool_destroy_debug //apr/memory/unix/apr_pools.c:1915:5
    #6 0x63893d in apr_pool_destroy_debug //apr/memory/unix/apr_pools.c:1957:5
    #7 0x63d4fe in apr_pool_destroy //apr/memory/unix/apr_pools.c:2887:5
    #8 0x5bfba5 in main //subversion/subversion/svnserve/svnserve.c:1368:3
    #9 0x7ff6e517082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x4f1b08 in _start (/home/orivej/bin/svnserve1+0x4f1b08)

0x606000002540 is located 0 bytes inside of 56-byte region [0x606000002540,0x606000002578)
freed by thread T0 here:
    #0 0x58ffdb in free //compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x6396bc in pool_clear_debug //apr/memory/unix/apr_pools.c:1853:13
    #2 0x6397f8 in pool_destroy_debug //apr/memory/unix/apr_pools.c:1915:5
    #3 0x6392ec in pool_clear_debug //apr/memory/unix/apr_pools.c:1827:9
    #4 0x6397f8 in pool_destroy_debug //apr/memory/unix/apr_pools.c:1915:5
    #5 0x63893d in apr_pool_destroy_debug //apr/memory/unix/apr_pools.c:1957:5
    #6 0x63d4fe in apr_pool_destroy //apr/memory/unix/apr_pools.c:2887:5
    #7 0x5bfba5 in main //subversion/subversion/svnserve/svnserve.c:1368:3
    #8 0x7ff6e517082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x59032c in malloc //compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x638a6b in pool_alloc //apr/memory/unix/apr_pools.c:1740:16
    #2 0x638979 in apr_palloc_debug //apr/memory/unix/apr_pools.c:1781:11
    #3 0x63d476 in apr_palloc //apr/memory/unix/apr_pools.c:2863:12
    #4 0x9b5aeb in insert //subversion/subversion/libsvn_subr/object_pool.c:263:20
    #5 0x9b57a9 in svn_object_pool__insert //subversion/subversion/libsvn_subr/object_pool.c:393:3
    #6 0x946edb in auto_parse //subversion/subversion/libsvn_repos/config_pool.c:230:3
    #7 0x9451d1 in svn_repos__config_pool_get //subversion/subversion/libsvn_repos/config_pool.c:523:17
    #8 0x94ffde in svn_repos__authz_pool_get //subversion/subversion/libsvn_repos/authz_pool.c:159:3
    #9 0x5eac98 in load_authz_config //subversion/subversion/svnserve/serve.c:322:15
    #10 0x5e8c6d in find_repos //subversion/subversion/svnserve/serve.c:3551:3
    #11 0x5c6bd2 in construct_server_baton //subversion/subversion/svnserve/serve.c:3878:29
    #12 0x5c7e93 in serve //subversion/subversion/svnserve/serve.c:4076:3
    #13 0x5c254b in sub_main //subversion/subversion/svnserve/svnserve.c:1045:13
    #14 0x5bfaad in main //subversion/subversion/svnserve/svnserve.c:1347:9
    #15 0x7ff6e517082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Received on 2017-05-29 05:45:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.