my module is such:
The pool is created with ngx_create_pool in module_init_process; I get momery
from the pool in the start of each request, and then use ngx_reset_pool in the
end of each request.
The ngx_reset_pool take pool->large each alloc pointer return to pool, and
each alloc pointer is wild pointer.
And When another get momery from the pool in next request or next next
request..., I maybe get wild pointer address and access inaccessible addresses,
and then coredump.
maybe the describe is simple in last mail.
At 2022-09-28 04:51:55, "Maxim Dounin" <mdou...@mdounin.ru> wrote:
>Hello!
>
>On Tue, Sep 27, 2022 at 03:25:18PM +0800, zjd wrote:
>
>> # HG changeset patch
>> # User Zhang Jinde <zjd5...@163.com>
>> # Date 1664261587 -28800
>> # Tue Sep 27 14:53:07 2022 +0800
>> # Node ID 226a75a3703db612ed13d4357ac1b71faef6974a
>> # Parent ba5cf8f73a2d0a3615565bf9545f3d65216a0530
>> Core: fix ngx_reset_pool wild pointer's coredump
>>
>> When frequently use ngx_reset_pool and use memory to the same pool in a
>> worker, it hanpens to accidental corrdump sometimes.
>>
>> diff -r ba5cf8f73a2d -r 226a75a3703d src/core/ngx_palloc.c
>> --- a/src/core/ngx_palloc.c Thu Sep 08 13:53:49 2022 +0400
>> +++ b/src/core/ngx_palloc.c Tue Sep 27 14:53:07 2022 +0800
>> @@ -105,6 +105,7 @@
>> for (l = pool->large; l; l = l->next) {
>> if (l->alloc) {
>> ngx_free(l->alloc);
>> + l->alloc = NULL;
>> }
>> }
>
>Could you please clarify what you are trying to fix here?
>
>From the description it looks like your module tries to use memory
>already freed by ngx_reset_pool(). If that's the case, the
>coredumps you observing aren't accidental, but rather an expected
>result of the use-after-free bug in your module.
>
>--
>Maxim Dounin
>http://mdounin.ru/
>_______________________________________________
>nginx mailing list -- nginx@nginx.org
>To unsubscribe send an email to nginx-le...@nginx.org
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
