[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow

William Yodlowsky wyodlows@andromeda.rutgers.edu
Fri, 04 Oct 2002 00:24:49 -0400 

William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:

> Balazs Scheidler <bazsi@balabit.hu> wrote:
>
> [snip]
>
> > Everybody is urged to upgrade to 1.4.16 or 1.5.21, these are available at
> > the usual place, http://www.balabit.hu/en/downloads/syslog-ng/downloads/
>
> I am having difficulties on Solaris 2.6 and 8 building 1.5.21.
> syslog-ng seems to need to link with libresolv, although it's not picked
> up.  Linking it by hand gets the compile finished, but then it segfaults 
> after a few seconds with:
>
> poll(0xFFBEFC70, 2, 600000)     (sleeping...)
> signotifywait()                 (sleeping...)
> door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
> lwp_cond_wait(0xFF0D5550, 0xFF0D5560, 0xFF0CEDB8) (sleeping...)
> door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
> poll(0xFFBEFC70, 2, 600000)                     = 1
> accept(2, 0xFFBEFB00, 0xFFBEFAFC, 1)            = 4
> fcntl(4, F_GETFL, 0xFFFFFFFF)                   = 130
> fstat64(4, 0xFFBEF7C8)                          = 0
> getsockopt(4, 65535, 8192, 0xFFBEF8C8, 0xFFBEF8C0, 0) = 0
> fstat64(4, 0xFFBEF7C8)                          = 0
> getsockopt(4, 65535, 8192, 0xFFBEF8C8, 0xFFBEF8C4, 0) = 0
> setsockopt(4, 65535, 8192, 0xFFBEF8C8, 4, 0)    = 0
> fcntl(4, F_SETFL, 0x00000082)                   = 0
> fcntl(4, F_SETFD, 0x00000001)                   = 0
> time()                                          = 1033145607
> poll(0xFFBEFC68, 3, 100)                        = 1
> read(4, " < 1 8 3 > S e p   2 7  ".., 2049)     = 2049
>     Incurred fault #6, FLTBOUNDS  %pc = 0xFF141AD8
>       siginfo: SIGSEGV SEGV_MAPERR addr=0x3804A888
>     Received signal #11, SIGSEGV [default]
>       siginfo: SIGSEGV SEGV_MAPERR addr=0x3804A888
>         *** process killed ***
>
> Any ideas?  Thanks in advance.

Here's a trace... This version was compiled without the res_init() call,
and without -lresolv.

# gdb ./syslog-ng
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(gdb) set args -F -C /common/logs -u logs -g logs
(gdb) run
Starting program: ./syslog-ng -F -C /common/logs -u logs -g logs
[New LWP 1]
[New LWP 2]
[New LWP 3]
[New LWP 4]
[New LWP 5]

Program received signal SIGSEGV, Segmentation fault.
0xff141f74 in realfree () from /usr/lib/libc.so.1
(gdb) bt                                                                                                                             
#0  0xff141f74 in realfree () from /usr/lib/libc.so.1
#1  0xff142880 in cleanfree () from /usr/lib/libc.so.1
#2  0xff1419b4 in _malloc_unlocked () from /usr/lib/libc.so.1
#3  0xff1418a8 in malloc () from /usr/lib/libc.so.1
#4  0x2abf8 in xalloc ()
#5  0x2adc0 in ol_space_alloc ()
#6  0x199c0 in make_log_info ()
#7  0x1628c in do_handle_line ()
#8  0x16750 in do_read_line ()
#9  0x28e9c in read_callback ()
#10 0x28b78 in io_iter ()
#11 0x1548c in main_loop ()
#12 0x1607c in main ()
(gdb) The program is running.  Exit anyway? (y or n) y
#

If there's a way I can help in debugging this further, please let me
know.  I refrain from posting my config file because it's quite large
(over 100 lines).

Thanks.