Hi everybody, While investigating persistent segmentation faults in mod_dav_svn I found invalid uses of objectpools in subversion/libsnv_repos/authz.c.
In svn_repos_authz_initialize() the objectpools passed in during the configuration phase are stored in static variables. For some reason the configuration phase runs multiple times and the previously used objectpools are freed. Because cached references to these freed objectpools are still used inside authz.c accesses to that memory will read invalid data from other parts of Apache, leading to segmentation faults. Maybe the issue happens especially on Alpine Linux because they are using musl libc with its own memory allocator which may behave differently than glibc and more directly reuse freed memory. I was able to work around the issue by removing the caching logic in svn_repos_authz_initialize() and always call synchronized_authz_initialize(). Thanks, Thomas Also reported before at https://gitlab.alpinelinux.org/alpine/aports/-/issues/10116 Environment: SVN: 1.14.1 Apache: 2.4.51 APR: 1.7.0 Reproduction steps: Save the two files "Dockerfile" and "svn.conf" from below in a directory. Execute from that directory: $ docker build -t svn-repro . $ docker run --rm -ti -p 8080:80 --name svn-repro svn-repro Execute from another terminal: $ curl localhost:8080/foo The running container should have stopped with a segmentation fault. Reproduction files: ```Dockerfile FROM alpine:3.14 USER root RUN apk --no-cache add \ apache2 apache2-webdav mod_dav_svn subversion COPY svn.conf /etc/apache2/conf.d/svn.conf RUN mkdir -p /srv/svn/repositories RUN echo -e "[/]\n* = r" | tee /srv/svn/acl RUN svnadmin create /srv/svn/repositories/foo EXPOSE 80 CMD ["/usr/sbin/httpd", "-X"] ``` ```svn.conf LoadModule dav_svn_module /usr/lib/apache2/mod_dav_svn.so LoadModule authz_svn_module /usr/lib/apache2/mod_authz_svn.so LogLevel trace6 CoreDumpDirectory /tmp/ MaxRequestWorkers 1 <Location /> DAV svn SVNParentPath /srv/svn/repositories AuthzSVNAccessFile /srv/svn/acl </Location> ```
