httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1230065 - in /httpd/httpd/trunk: include/ap_mmn.h include/scoreboard.h server/scoreboard.c
Date Wed, 11 Jan 2012 14:33:47 GMT
Author: jorton
Date: Wed Jan 11 14:33:47 2012
New Revision: 1230065

URL: http://svn.apache.org/viewvc?rev=1230065&view=rev
Log:
SECURITY (CVE-2012-0031): Fix possible crash on shutdown if a child
changes the sb_type field in the scoreboard.  Since unprivileged
children should not be able to affect the parent in this way, this is
treated as a Low severity security issue.

Thanks to "halfdog" <me halfdog.net> for reporting this issue.

* include/scoreboard.h (global_score): Remove sb_type field.

* include/ap_mmn.h: Bump MMN for above.

* server/scoreboard.c (ap_cleanup_scoreboard, ap_create_scoreboard):
  Use a static global to store store the scoreboard type.

Modified:
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/include/scoreboard.h
    httpd/httpd/trunk/server/scoreboard.c

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1230065&r1=1230064&r2=1230065&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Jan 11 14:33:47 2012
@@ -384,12 +384,13 @@
  *                         ap_proxy_table_unmerge(), proxy_lb_workers.
  * 20111203.1 (2.5.0-dev)  Add ap_list_provider_groups()
  * 20120109.0 (2.5.0-dev)  Changes sizeof(overrides_t) in core config.
+ * 20120111.0 (2.5.0-dev)  Remove sb_type from global_score.
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20120109
+#define MODULE_MAGIC_NUMBER_MAJOR 20120111
 #endif
 #define MODULE_MAGIC_NUMBER_MINOR 0                   /* 0...n */
 

Modified: httpd/httpd/trunk/include/scoreboard.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/scoreboard.h?rev=1230065&r1=1230064&r2=1230065&view=diff
==============================================================================
--- httpd/httpd/trunk/include/scoreboard.h (original)
+++ httpd/httpd/trunk/include/scoreboard.h Wed Jan 11 14:33:47 2012
@@ -120,7 +120,6 @@ struct worker_score {
 typedef struct {
     int             server_limit;
     int             thread_limit;
-    ap_scoreboard_e sb_type;
     ap_generation_t running_generation; /* the generation of children which
                                          * should still be serving requests.
                                          */

Modified: httpd/httpd/trunk/server/scoreboard.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/scoreboard.c?rev=1230065&r1=1230064&r2=1230065&view=diff
==============================================================================
--- httpd/httpd/trunk/server/scoreboard.c (original)
+++ httpd/httpd/trunk/server/scoreboard.c Wed Jan 11 14:33:47 2012
@@ -42,6 +42,7 @@
 
 AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL;
 AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL;
+static ap_scoreboard_e scoreboard_type;
 
 const char * ap_set_scoreboard(cmd_parms *cmd, void *dummy,
                                const char *arg)
@@ -276,7 +277,7 @@ apr_status_t ap_cleanup_scoreboard(void 
     if (ap_scoreboard_image == NULL) {
         return APR_SUCCESS;
     }
-    if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
+    if (scoreboard_type == SB_SHARED) {
         ap_cleanup_shared_mem(NULL);
     }
     else {
@@ -329,7 +330,7 @@ int ap_create_scoreboard(apr_pool_t *p, 
         ap_init_scoreboard(sb_mem);
     }
 
-    ap_scoreboard_image->global->sb_type = sb_type;
+    scoreboard_type = sb_type;
     ap_scoreboard_image->global->running_generation = 0;
     ap_scoreboard_image->global->restart_time = apr_time_now();
 



Mime
View raw message