[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow
Balazs Scheidler
bazsi@balabit.hu
Fri, 4 Oct 2002 11:42:00 +0200
On Fri, Oct 04, 2002 at 12:24:49AM -0400, William Yodlowsky wrote:
> William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:
>
> > Balazs Scheidler <bazsi@balabit.hu> wrote:
> >
> > [snip]
> >
> > > Everybody is urged to upgrade to 1.4.16 or 1.5.21, these are available at
> > > the usual place, http://www.balabit.hu/en/downloads/syslog-ng/downloads/
> >
> > I am having difficulties on Solaris 2.6 and 8 building 1.5.21.
> > syslog-ng seems to need to link with libresolv, although it's not picked
> > up. Linking it by hand gets the compile finished, but then it segfaults
> > after a few seconds with:
> >
> > poll(0xFFBEFC70, 2, 600000) (sleeping...)
> > signotifywait() (sleeping...)
> > door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
> > lwp_cond_wait(0xFF0D5550, 0xFF0D5560, 0xFF0CEDB8) (sleeping...)
> > door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
> > poll(0xFFBEFC70, 2, 600000) = 1
> > accept(2, 0xFFBEFB00, 0xFFBEFAFC, 1) = 4
> > fcntl(4, F_GETFL, 0xFFFFFFFF) = 130
> > fstat64(4, 0xFFBEF7C8) = 0
> > getsockopt(4, 65535, 8192, 0xFFBEF8C8, 0xFFBEF8C0, 0) = 0
> > fstat64(4, 0xFFBEF7C8) = 0
> > getsockopt(4, 65535, 8192, 0xFFBEF8C8, 0xFFBEF8C4, 0) = 0
> > setsockopt(4, 65535, 8192, 0xFFBEF8C8, 4, 0) = 0
> > fcntl(4, F_SETFL, 0x00000082) = 0
> > fcntl(4, F_SETFD, 0x00000001) = 0
> > time() = 1033145607
> > poll(0xFFBEFC68, 3, 100) = 1
> > read(4, " < 1 8 3 > S e p 2 7 ".., 2049) = 2049
> > Incurred fault #6, FLTBOUNDS %pc = 0xFF141AD8
> > siginfo: SIGSEGV SEGV_MAPERR addr=0x3804A888
> > Received signal #11, SIGSEGV [default]
> > siginfo: SIGSEGV SEGV_MAPERR addr=0x3804A888
> > *** process killed ***
> >
> > Any ideas? Thanks in advance.
>
> Here's a trace... This version was compiled without the res_init() call,
> and without -lresolv.
>
> # gdb ./syslog-ng
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "sparc-sun-solaris2.8"...
> (gdb) set args -F -C /common/logs -u logs -g logs
> (gdb) run
> Starting program: ./syslog-ng -F -C /common/logs -u logs -g logs
> [New LWP 1]
> [New LWP 2]
> [New LWP 3]
> [New LWP 4]
> [New LWP 5]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0xff141f74 in realfree () from /usr/lib/libc.so.1
> (gdb) bt
> #0 0xff141f74 in realfree () from /usr/lib/libc.so.1
> #1 0xff142880 in cleanfree () from /usr/lib/libc.so.1
> #2 0xff1419b4 in _malloc_unlocked () from /usr/lib/libc.so.1
> #3 0xff1418a8 in malloc () from /usr/lib/libc.so.1
> #4 0x2abf8 in xalloc ()
> #5 0x2adc0 in ol_space_alloc ()
> #6 0x199c0 in make_log_info ()
> #7 0x1628c in do_handle_line ()
> #8 0x16750 in do_read_line ()
> #9 0x28e9c in read_callback ()
> #10 0x28b78 in io_iter ()
> #11 0x1548c in main_loop ()
> #12 0x1607c in main ()
> (gdb) The program is running. Exit anyway? (y or n) y
> #
>
> If there's a way I can help in debugging this further, please let me
> know. I refrain from posting my config file because it's quite large
> (over 100 lines).
Hmm.. I've started syslog-ng on a solaris 8 system. It started and seems to
work. I try to send log traffic to it, but at first I was unable to
reproduce the problem. (the system I run it on is a Sun Ultra II with two
300 MHz processors and 768 MB RAM)
The fact that it segfaults in malloc() seems to indicate that there's a
problem in syslog-ng (double free, overwritten memory block chains or
something)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1