From 65718cf0f5980f1e5e2e9a2335a0cfb599b30cda Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 11 Jan 2012 14:33:47 +0000 Subject: [PATCH] SECURITY (CVE-2012-0031): Fix possible crash on shutdown if a child changes the sb_type field in the scoreboard. Since unprivileged children should not be able to affect the parent in this way, this is treated as a Low severity security issue. Thanks to "halfdog" for reporting this issue. * include/scoreboard.h (global_score): Remove sb_type field. * include/ap_mmn.h: Bump MMN for above. * server/scoreboard.c (ap_cleanup_scoreboard, ap_create_scoreboard): Use a static global to store store the scoreboard type. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1230065 13f79535-47bb-0310-9956-ffa450edef68 --- include/ap_mmn.h | 3 ++- include/scoreboard.h | 1 - server/scoreboard.c | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 110a235a1ad..2f9e6bb0a69 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -384,12 +384,13 @@ * ap_proxy_table_unmerge(), proxy_lb_workers. * 20111203.1 (2.5.0-dev) Add ap_list_provider_groups() * 20120109.0 (2.5.0-dev) Changes sizeof(overrides_t) in core config. + * 20120111.0 (2.5.0-dev) Remove sb_type from global_score. */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20120109 +#define MODULE_MAGIC_NUMBER_MAJOR 20120111 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/scoreboard.h b/include/scoreboard.h index 8165d57ed3e..31450056474 100644 --- a/include/scoreboard.h +++ b/include/scoreboard.h @@ -120,7 +120,6 @@ struct worker_score { typedef struct { int server_limit; int thread_limit; - ap_scoreboard_e sb_type; ap_generation_t running_generation; /* the generation of children which * should still be serving requests. */ diff --git a/server/scoreboard.c b/server/scoreboard.c index 72aa0704505..42019955c08 100644 --- a/server/scoreboard.c +++ b/server/scoreboard.c @@ -42,6 +42,7 @@ AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL; AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL; +static ap_scoreboard_e scoreboard_type; const char * ap_set_scoreboard(cmd_parms *cmd, void *dummy, const char *arg) @@ -276,7 +277,7 @@ apr_status_t ap_cleanup_scoreboard(void *d) if (ap_scoreboard_image == NULL) { return APR_SUCCESS; } - if (ap_scoreboard_image->global->sb_type == SB_SHARED) { + if (scoreboard_type == SB_SHARED) { ap_cleanup_shared_mem(NULL); } else { @@ -329,7 +330,7 @@ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type) ap_init_scoreboard(sb_mem); } - ap_scoreboard_image->global->sb_type = sb_type; + scoreboard_type = sb_type; ap_scoreboard_image->global->running_generation = 0; ap_scoreboard_image->global->restart_time = apr_time_now(); -- 2.47.2