[syslog-ng] segfault in 3.4 alpha1

Balazs Scheidler bazsi at balabit.hu
Wed Mar 14 21:04:36 CET 2012


On Wed, 2012-03-14 at 10:23 +0100, Gergely Nagy wrote:
> Balazs Scheidler <bazsi at balabit.hu> writes:
> 
> >> #5  0x00007ffff332665d in afmongodb_parse (lexer=0x61d6f0, instance=0x7fffffffa870, arg=0x0) at afmongodb-grammar.y:799
> >> 799 | KW_REPLACE '(' string string ')' {
> >> value_pairs_transform_set_add_func(last_vp_transset,
> >> value_pairs_new_transform_replace($3, $4)); free($3); free($4); }
> >
> > Something clobbers the heap before the free calls, running under
> > valgrind would probably reveal the cause.
> 
> Valgrind shows this, using the attached config:
> 
> ==16117== Invalid free() / delete / delete[] / realloc()
> ==16117==    at 0x40279D4: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==16117==    by 0x4A7A42D: vp_cmdline_parse_rekey_finish (value-pairs.c:462)
> ==16117==    by 0x4A7AC86: value_pairs_new_from_cmdline (value-pairs.c:681)
> ==16117==    by 0x6FF1CAD: tf_json_prepare (tfjson.c:53)
> ==16117==    by 0x4A75E7E: log_template_add_func_elem (templates.c:801)
> ==16117==    by 0x4A76629: log_template_compile (templates.c:1020)
> ==16117==    by 0x4A4B425: cfg_tree_check_inline_template (cfg-tree.c:984)
> ==16117==    by 0x6DE853F: affile_parse (affile-grammar.y:822)
> ==16117==    by 0x4A6EABB: cfg_parser_parse (cfg-parser.h:83)
> ==16117==    by 0x4A6F214: plugin_parse_config (plugin.c:211)
> ==16117==    by 0x4A83ACD: main_parse (cfg-grammar.y:610)
> ==16117==    by 0x4A45527: cfg_parser_parse (cfg-parser.h:83)
> ==16117==  Address 0x6a38f90 is 0 bytes inside a block of size 7 free'd
> ==16117==    at 0x40279D4: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==16117==    by 0x4A7AC57: value_pairs_new_from_cmdline (value-pairs.c:676)
> ==16117==    by 0x6FF1CAD: tf_json_prepare (tfjson.c:53)
> ==16117==    by 0x4A75E7E: log_template_add_func_elem (templates.c:801)
> ==16117==    by 0x4A76629: log_template_compile (templates.c:1020)
> ==16117==    by 0x4A4B425: cfg_tree_check_inline_template (cfg-tree.c:984)
> ==16117==    by 0x6DE853F: affile_parse (affile-grammar.y:822)
> ==16117==    by 0x4A6EABB: cfg_parser_parse (cfg-parser.h:83)
> ==16117==    by 0x4A6F214: plugin_parse_config (plugin.c:211)
> ==16117==    by 0x4A83ACD: main_parse (cfg-grammar.y:610)
> ==16117==    by 0x4A45527: cfg_parser_parse (cfg-parser.h:83)
> ==16117==    by 0x4A46170: cfg_run_parser (cfg.c:316)
> 
> This is a bug introduced by an earlier patch of mine that removes the
> --rekey option. I'll sand a patch shortly to fix that.
> 
> Valgrind would've been my next try, but I had to catch a bus. O:)
> 
> > However I'd need your configuration to get more information.
> 
> My config's now attached, though it's of little use now, as valgrind
> found the bug above.

I've commited this for the double free:

commit cf193a52e2177641921e6ff7cda48bc4a37d971b
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Wed Mar 14 20:47:19 2012 +0100

    value-pairs: fixed double free in case of an argument parsing failure
    
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>

and this to report template compilation errors properly:

commit 7c2cc16233a5fc21232ec22f56a9ae9022e240bd
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Wed Mar 14 20:48:09 2012 +0100

    cfg-tree: handle template compilation errors properly
    
    In case a template was specified directly at a destination, its syntax errors
    were not properly reported while the configuration was being parsed. This
    patch fixes that.
    
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>



-- 
Bazsi




More information about the syslog-ng mailing list