From: Joe Orton Date: Wed, 11 Jan 2012 14:45:02 +0000 (+0000) Subject: Merge r1230065 from trunk (adapted to avoid MMN change): X-Git-Tag: 2.4.0~10 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2e60f7e7ca865b4b5b088831a1ac31480f38f344;p=apache Merge r1230065 from trunk (adapted to avoid MMN change): SECURITY (CVE-2012-0031): Fix possible crash on shutdown if a child changes the sb_type field in the scoreboard. Since unprivileged children should not be able to affect the parent in this way, this is treated as a Low severity security issue. Thanks to "halfdog" for reporting this issue. * server/scoreboard.c (ap_cleanup_scoreboard, ap_create_scoreboard): Use a static global to store an authoritative copy of the scoreboard type. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1230069 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1acf70e267..7a975e68d6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.0 + *) SECURITY (CVE-2012-0031): Fix scoreboard issue which could allow + an unprivileged child process could cause the parent to crash at + shutdown rather than terminate cleanly. [Joe Orton] + *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch] *) mod_log_config: Fix segfault when trying to log a nameless, valueless diff --git a/server/scoreboard.c b/server/scoreboard.c index 72aa070450..b3d553f437 100644 --- a/server/scoreboard.c +++ b/server/scoreboard.c @@ -42,6 +42,7 @@ AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL; AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL; +static ap_scoreboard_e scoreboard_type; const char * ap_set_scoreboard(cmd_parms *cmd, void *dummy, const char *arg) @@ -276,7 +277,7 @@ apr_status_t ap_cleanup_scoreboard(void *d) if (ap_scoreboard_image == NULL) { return APR_SUCCESS; } - if (ap_scoreboard_image->global->sb_type == SB_SHARED) { + if (scoreboard_type == SB_SHARED) { ap_cleanup_shared_mem(NULL); } else { @@ -329,7 +330,7 @@ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type) ap_init_scoreboard(sb_mem); } - ap_scoreboard_image->global->sb_type = sb_type; + ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type; ap_scoreboard_image->global->running_generation = 0; ap_scoreboard_image->global->restart_time = apr_time_now();