h2_mplx.c contains a number of calls to ap_log_cerror using
m->c (the master connection) as an argument. These calls can
trigger allocations using the m->c->pool.
One example is core_generate_log_id. As some of the code in
h2_mplx.c is executed on a worker thread, it is possible that the
main thread performs a parallel allocation and corrupts the pool.
(apr memory pools are not thread-safe)
Most logging calls are using DEBUG and TRACE levels and can't be
exploited in a production environment.
However, the task_done function calls ap_log_cerror with APLOG_INFO
when throttling tasks, which can be triggered by a malicious
client:
h2_mplx.c:809
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, m->c,
H2_STRM_MSG(stream, \"redo, added to q\"));
This bug is subject to a 90 day disclosure deadline. After 90
days elapse, the bug report
will become visible to the public. The scheduled disclosure date is
2020-09-14.
Disclosure at an earlier date is also possible if agreed upon by
all parties.
Related CVE Numbers: CVE-2020-11993.
Found by:
Read more https://packetstormsecurity.com/files/160393/GS20201207144406.txt
