[nginx] Fixed use-after-free on exit with error logging rate lim...

[Maxim Dounin]

details:   http://freenginx.org/hg/nginx/rev/2a0e8ad40bba
branches:  
changeset: 9388:2a0e8ad40bba
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Thu Jul 03 10:04:12 2025 +0300
description:
Fixed use-after-free on exit with error logging rate limiting.

Error logging rate limiting as introduced in 9299:2706b60dc225 (1.27.2)
wasn't disabled for exit-time logging, and the log->limit structure
for the default file log, which is allocated from the cycle pool,
was accessed during logging after the cycle pool was destroyed.

Notably, this resulted in segmentation faults on worker process exit
on Alpine Linux.

Fix is to explicitly clear ngx_exit_log.limit for exit-time logging.

diffstat:

 src/os/unix/ngx_process_cycle.c |  2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diffs (19 lines):

diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -684,6 +684,7 @@ ngx_master_process_exit(ngx_cycle_t *cyc
     ngx_exit_log.file = &ngx_exit_log_file;
     ngx_exit_log.next = NULL;
     ngx_exit_log.writer = NULL;
+    ngx_exit_log.limit = NULL;
 
     ngx_exit_cycle.log = &ngx_exit_log;
     ngx_exit_cycle.files = ngx_cycle->files;
@@ -984,6 +985,7 @@ ngx_worker_process_exit(ngx_cycle_t *cyc
     ngx_exit_log.file = &ngx_exit_log_file;
     ngx_exit_log.next = NULL;
     ngx_exit_log.writer = NULL;
+    ngx_exit_log.limit = NULL;
 
     ngx_exit_cycle.log = &ngx_exit_log;
     ngx_exit_cycle.files = ngx_cycle->files;