apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 63271] New: APR corrupts memory and closes random handles when a lock is released twice
Date Tue, 19 Mar 2019 11:05:34 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=63271

            Bug ID: 63271
           Summary: APR corrupts memory and closes random handles when a
                    lock is released twice
           Product: APR
           Version: 1.6.3
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR
          Assignee: bugs@apr.apache.org
          Reporter: msc@contact.de
  Target Milestone: ---

Created attachment 36490
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36490&action=edit
Patch for the issue

The locking code on Windows does not properly handle the case that a lock gets
released twice (which is a usage bug, but shouldn't corrupt memory).

The issue is a bad interaction between apr_thread_mutex_create(), which does
not initialize the (*mutex)->handle in some cases when using a CriticalSection.

        IF_WIN_OS_IS_UNICODE {
            InitializeCriticalSection(&(*mutex)->section);
            (*mutex)->type = thread_mutex_critical_section;
        }

and the thread_mutex_cleanup() code, which cannot be called twice without harm.

static apr_status_t thread_mutex_cleanup(void *data)
{
    apr_thread_mutex_t *lock = data;

    if (lock->type == thread_mutex_critical_section) {
        lock->type = -1;
        DeleteCriticalSection(&lock->section);
    }
    else {
        if (!CloseHandle(lock->handle)) {
            return apr_get_os_error();
        }
    }
    return APR_SUCCESS;
}

If the lock->type is a thread_mutex_critical_section, the lock->type changes to
-1 after the 1st call and the 2nd call will call a CloseHandle() on
uninitialized memory. This has a high chance to catch a valid handle and close
it behind the back of the real owner, leading to various crashes and weirdness.
Including failing CreateProcess calls, httpd with mod_cache enabled restarting
because a wait Event handle gets close randomly etc. The chance is high even on
64-bit, as handles are truncated to 32-bit to have easier WoW64 support.

(see for example 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59798 
and https://bz.apache.org/bugzilla/show_bug.cgi?id=41847 )

See attached patch for a fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message