[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow

William Yodlowsky wyodlows@andromeda.rutgers.edu
Wed, 09 Oct 2002 11:46:52 -0400


William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:

> William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:
>
> > * Central syslog server segfaults (I know kondou@isc.org mentioned that it 
> >   was their central server too)
> >
> > Since I haven't tried running 1.5.14-1.5.20 I'm going to give them a try
> > to see if the problem is in one of those previous releases.  That may
> > make it easier to track down.
>
> Ok, here's what I did.  I tested each the same way:
>
> - Compiled libol with:
>   ./configure && make
>
> - Compiled syslog-ng with:
>   ./configure --with-libol=../libol-VERSION && make
>
> - Tested with server (large) config file and invoked with:
>   # cd src
>   # truss -f ./syslog-ng -f ~/syslog-ng.conf -F -C /tmp/a -u logs -g
>   # logs
>
> Results:
>
> libol-0.3.1 & syslog-ng-1.5.14 - worked
> libol-0.3.1 & syslog-ng-1.5.15 - worked
> libol-0.3.2 & syslog-ng-1.5.16 - build failed
> libol-0.3.2 & syslog-ng-1.5.17 - worked
> libol-0.3.3 & syslog-ng-1.5.18 - build failed
> libol-0.3.3 & syslog-ng-1.5.19 - segfault
> libol-0.3.3 & syslog-ng-1.5.20 - worked
> libol-0.3.3 & syslog-ng-1.5.21 - (removed res_init call) - WORKED
>
> Hmm.  Before, I was linking with libresolv.  Since removing res_init,
> that's no longer necessary, and it doesn't seem to segfault anymore.
>
> I'm going to poke at this a bit more, and if anything else turns up,
> I'll post.

Sigh.  I spoke to soon:

# gdb /usr/local/sbin/syslog-ng 
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.8"...
(gdb) set args -F -C /common/logs -u logs -g logs
(gdb) r
Starting program: /usr/local/sbin/syslog-ng -F -C /common/logs -u logs
-g logs
[New LWP 1]
[New LWP 2]
[New LWP 3]
[New LWP 4]
[New LWP 5]

Program received signal SIGSEGV, Segmentation fault.
0xff141f74 in realfree () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff141f74 in realfree () from /usr/lib/libc.so.1
#1  0xff142880 in cleanfree () from /usr/lib/libc.so.1
#2  0xff1419b4 in _malloc_unlocked () from /usr/lib/libc.so.1
#3  0xff1418a8 in malloc () from /usr/lib/libc.so.1
#4  0x2abf8 in xalloc ()
#5  0x2adc0 in ol_space_alloc ()
#6  0x199c0 in make_log_info ()
#7  0x1628c in do_handle_line ()
#8  0x16750 in do_read_line ()
#9  0x28e9c in read_callback ()
#10 0x28b78 in io_iter ()
#11 0x1548c in main_loop ()
#12 0x1607c in main ()
(gdb) 

The only difference between my test config file and the production one
is that it listened on a different port, and didn't have the same volume
of traffic.