[PATCH] Fixed use-after-free on exit with error logging rate limiting
Maxim Dounin
mdounin at mdounin.ru
Thu Jul 3 17:34:06 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1751526252 -10800
# Thu Jul 03 10:04:12 2025 +0300
# Node ID 2a0e8ad40bbae617e6339627dcbe3895c93bcf45
# Parent a1dd1c5d8e862723fd4850464da851228ff9d95c
Fixed use-after-free on exit with error logging rate limiting.
Error logging rate limiting as introduced in 9299:2706b60dc225 (1.27.2)
wasn't disabled for exit-time logging, and the log->limit structure
for the default file log, which is allocated from the cycle pool,
was accessed during logging after the cycle pool was destroyed.
Notably, this resulted in segmentation faults on worker process exit
on Alpine Linux.
Fix is to explicitly clear ngx_exit_log.limit for exit-time logging.
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -684,6 +684,7 @@ ngx_master_process_exit(ngx_cycle_t *cyc
ngx_exit_log.file = &ngx_exit_log_file;
ngx_exit_log.next = NULL;
ngx_exit_log.writer = NULL;
+ ngx_exit_log.limit = NULL;
ngx_exit_cycle.log = &ngx_exit_log;
ngx_exit_cycle.files = ngx_cycle->files;
@@ -984,6 +985,7 @@ ngx_worker_process_exit(ngx_cycle_t *cyc
ngx_exit_log.file = &ngx_exit_log_file;
ngx_exit_log.next = NULL;
ngx_exit_log.writer = NULL;
+ ngx_exit_log.limit = NULL;
ngx_exit_cycle.log = &ngx_exit_log;
ngx_exit_cycle.files = ngx_cycle->files;
More information about the nginx-devel
mailing list