backport upstreams to fix memory leak and possible segfault
This commit is contained in:
eaglegai
parent
f8e01b410f
commit
4dadea2da7
@ -0,0 +1,54 @@
|
|||||||
|
From 284a0c73771e3a2c57af6e74d96d9a6878b2e7b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Maxim Dounin <mdounin@mdounin.ru>
|
||||||
|
Date: Tue, 17 Oct 2023 02:39:38 +0300
|
||||||
|
Subject: [PATCH] Core: fixed memory leak on configuration reload with PCRE2.
|
||||||
|
|
||||||
|
In ngx_regex_cleanup() allocator wasn't configured when calling
|
||||||
|
pcre2_compile_context_free() and pcre2_match_data_free(), resulting
|
||||||
|
in no ngx_free() call and leaked memory. Fix is ensure that allocator
|
||||||
|
is configured for global allocations, so that ngx_free() is actually
|
||||||
|
called to free memory.
|
||||||
|
|
||||||
|
Additionally, ngx_regex_compile_context was cleared in
|
||||||
|
ngx_regex_module_init(). It should be either not cleared, so it will
|
||||||
|
be freed by ngx_regex_cleanup(), or properly freed. Fix is to
|
||||||
|
not clear it, so ngx_regex_cleanup() will be able to free it.
|
||||||
|
|
||||||
|
Reported by ZhenZhong Wu,
|
||||||
|
https://mailman.nginx.org/pipermail/nginx-devel/2023-September/3Z5FIKUDRN2WBSL3JWTZJ7SXDA6YIWPB.html
|
||||||
|
---
|
||||||
|
src/core/ngx_regex.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
|
||||||
|
index 91381f49942..5b13c5db389 100644
|
||||||
|
--- a/src/core/ngx_regex.c
|
||||||
|
+++ b/src/core/ngx_regex.c
|
||||||
|
@@ -600,6 +600,8 @@ ngx_regex_cleanup(void *data)
|
||||||
|
* the new cycle, these will be re-allocated.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+ ngx_regex_malloc_init(NULL);
|
||||||
|
+
|
||||||
|
if (ngx_regex_compile_context) {
|
||||||
|
pcre2_compile_context_free(ngx_regex_compile_context);
|
||||||
|
ngx_regex_compile_context = NULL;
|
||||||
|
@@ -611,6 +613,8 @@ ngx_regex_cleanup(void *data)
|
||||||
|
ngx_regex_match_data_size = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ngx_regex_malloc_done();
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -706,9 +710,6 @@ ngx_regex_module_init(ngx_cycle_t *cycle)
|
||||||
|
ngx_regex_malloc_done();
|
||||||
|
|
||||||
|
ngx_regex_studies = NULL;
|
||||||
|
-#if (NGX_PCRE2)
|
||||||
|
- ngx_regex_compile_context = NULL;
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
@ -0,0 +1,34 @@
|
|||||||
|
From 25c546ac37ba622b93c1a7075bd7eb447bac17b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Maxim Dounin <mdounin@mdounin.ru>
|
||||||
|
Date: Tue, 18 Apr 2023 06:28:46 +0300
|
||||||
|
Subject: [PATCH] Fixed segfault if regex studies list allocation fails.
|
||||||
|
|
||||||
|
The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
|
||||||
|
and this used to cause NULL pointer dereference if allocation
|
||||||
|
failed. Fix is to set cleanup handler only when allocation succeeds.
|
||||||
|
---
|
||||||
|
src/core/ngx_regex.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
|
||||||
|
index bebf3b6a83e..91381f49942 100644
|
||||||
|
--- a/src/core/ngx_regex.c
|
||||||
|
+++ b/src/core/ngx_regex.c
|
||||||
|
@@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- cln->handler = ngx_regex_cleanup;
|
||||||
|
- cln->data = rcf;
|
||||||
|
-
|
||||||
|
rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
|
||||||
|
if (rcf->studies == NULL) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cln->handler = ngx_regex_cleanup;
|
||||||
|
+ cln->data = rcf;
|
||||||
|
+
|
||||||
|
ngx_regex_studies = rcf->studies;
|
||||||
|
|
||||||
|
return rcf;
|
||||||
@ -17,7 +17,7 @@
|
|||||||
Name: nginx
|
Name: nginx
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.24.0
|
Version: 1.24.0
|
||||||
Release: 4
|
Release: 5
|
||||||
Summary: A HTTP server, reverse proxy and mail proxy server
|
Summary: A HTTP server, reverse proxy and mail proxy server
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://nginx.org/
|
URL: http://nginx.org/
|
||||||
@ -43,6 +43,8 @@ Patch3: backport-CVE-2023-44487.patch
|
|||||||
# https://nginx.org/download/patch.2024.mp4.txt
|
# https://nginx.org/download/patch.2024.mp4.txt
|
||||||
Patch4: backport-CVE-2024-7347.patch
|
Patch4: backport-CVE-2024-7347.patch
|
||||||
Patch5: backport-CVE-2025-23419.patch
|
Patch5: backport-CVE-2025-23419.patch
|
||||||
|
Patch6: backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch
|
||||||
|
Patch7: backport-Core-fixed-memory-leak-on-configuration-reload-with-PCRE2.patch
|
||||||
|
|
||||||
BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
|
BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
|
||||||
Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl
|
Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl
|
||||||
@ -390,6 +392,9 @@ fi
|
|||||||
%{_mandir}/man8/nginx.8*
|
%{_mandir}/man8/nginx.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 02 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-5
|
||||||
|
- backport upstreams to fix memory leak and possible segfault
|
||||||
|
|
||||||
* Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-4
|
* Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-4
|
||||||
- fix CVE-2025-23419
|
- fix CVE-2025-23419
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user