fix accidental corrdump

zjd zjd5536 at 163.com
Wed Sep 28 02:56:15 UTC 2022 

my module is such:
The pool is created with ngx_create_pool  in module_init_process; I get momery from the pool in the start of each request, and then use ngx_reset_pool in the end of  each request.
The ngx_reset_pool  take pool->large each alloc  pointer return to pool, and each alloc pointer  is wild pointer.
 And When  another  get momery from the pool  in next request or next next request..., I maybe get wild pointer address and access inaccessible addresses, and then coredump.

maybe  the describe is simple in last mail.

















At 2022-09-28 04:51:55, "Maxim Dounin" <mdounin at mdounin.ru> wrote:
>Hello!
>
>On Tue, Sep 27, 2022 at 03:25:18PM +0800, zjd wrote:
>
>> # HG changeset patch
>> # User Zhang Jinde <zjd5536 at 163.com>
>> # Date 1664261587 -28800
>> #      Tue Sep 27 14:53:07 2022 +0800
>> # Node ID 226a75a3703db612ed13d4357ac1b71faef6974a
>> # Parent  ba5cf8f73a2d0a3615565bf9545f3d65216a0530
>> Core: fix ngx_reset_pool wild pointer's coredump
>> 
>> When frequently  use ngx_reset_pool and use memory to the same pool in a worker,  it hanpens to accidental corrdump sometimes.
>> 
>> diff -r ba5cf8f73a2d -r 226a75a3703d src/core/ngx_palloc.c
>> --- a/src/core/ngx_palloc.c     Thu Sep 08 13:53:49 2022 +0400
>> +++ b/src/core/ngx_palloc.c     Tue Sep 27 14:53:07 2022 +0800
>> @@ -105,6 +105,7 @@
>>      for (l = pool->large; l; l = l->next) {
>>          if (l->alloc) {
>>              ngx_free(l->alloc);
>> +            l->alloc = NULL;
>>          }
>>      }
>
>Could you please clarify what you are trying to fix here?
>
>From the description it looks like your module tries to use memory 
>already freed by ngx_reset_pool().  If that's the case, the 
>coredumps you observing aren't accidental, but rather an expected 
>result of the use-after-free bug in your module.
>
>-- 
>Maxim Dounin
>http://mdounin.ru/
>_______________________________________________
>nginx mailing list -- nginx at nginx.org
>To unsubscribe send an email to nginx-leave at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20220928/69844670/attachment.htm>

More information about the nginx mailing list