Attachment 938229 Details for Bug 1142373 – rsyslog CVE-2014-3634 fix for v5

[patch] rsyslog CVE-2014-3634 fix for v5

prifix.v5-stable (text/plain), 13.63 KB, created by Vincent Danen on 2014-09-16 20:29:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Vincent Danen

Created: 2014-09-16 20:29:47 UTC

Size: 13.63 KB

patch

obsolete

>diff --git a/ChangeLog b/ChangeLog
>index fe3c244..2f749bd 100644
>--- a/ChangeLog
>+++ b/ChangeLog
>@@ -2023,6 +2023,8 @@ Version 3.22.4 [v3-stable] (rgerhards), 2010-??-??
>   closes: http://bugzilla.adiscon.com/show_bug.cgi?id=271
> - improved some code based on clang static analyzer results
> - bugfix: potential misadressing in property replacer
>+- bugfix: improper handling of invalid PRI values
>+  references: CVE-2014-3634
> ---------------------------------------------------------------------------
> Version 3.22.3 [v3-stable] (rgerhards), 2010-11-24
> - bugfix(important): problem in TLS handling could cause rsyslog to loop
>diff --git a/configure.ac b/configure.ac
>index 52e6fbc..120b4d1 100644
>--- a/configure.ac
>+++ b/configure.ac
>@@ -79,7 +79,7 @@ AC_SUBST(DL_LIBS)
> AC_HEADER_RESOLV
> AC_HEADER_STDC
> AC_HEADER_SYS_WAIT
>-AC_CHECK_HEADERS([arpa/inet.h libgen.h malloc.h fcntl.h locale.h netdb.h netinet/in.h paths.h stddef.h stdlib.h string.h sys/file.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h sys/stat.h syslog.h unistd.h utmp.h utmpx.h sys/epoll.h sys/prctl.h])
>+AC_CHECK_HEADERS([arpa/inet.h libgen.h malloc.h fcntl.h locale.h netdb.h netinet/in.h paths.h stddef.h stdlib.h string.h sys/file.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h sys/stat.h unistd.h utmp.h utmpx.h sys/epoll.h sys/prctl.h])
> 
> # Checks for typedefs, structures, and compiler characteristics.
> AC_C_CONST
>diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
>index 632bf39..cd6cf06 100644
>--- a/plugins/imfile/imfile.c
>+++ b/plugins/imfile/imfile.c
>@@ -122,8 +122,8 @@ static rsRetVal enqLine(fileInfo_t *pInfo, cstr_t *cstrLine)
> 	MsgSetMSGoffs(pMsg, 0);	/* we do not have a header... */
> 	MsgSetHOSTNAME(pMsg, glbl.GetLocalHostName(), ustrlen(glbl.GetLocalHostName()));
> 	MsgSetTAG(pMsg, pInfo->pszTag, pInfo->lenTag);
>-	pMsg->iFacility = LOG_FAC(pInfo->iFacility);
>-	pMsg->iSeverity = LOG_PRI(pInfo->iSeverity);
>+	pMsg->iFacility = pri2fac(pInfo->iFacility);
>+	pMsg->iSeverity = pri2sev(pInfo->iSeverity);
> 	MsgSetRuleset(pMsg, pInfo->pRuleset);
> 	pInfo->multiSub.ppMsgs[pInfo->multiSub.nElem++] = pMsg;
> 	if(pInfo->multiSub.nElem == pInfo->multiSub.maxElem)
>diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
>index e953651..08e0b38 100644
>--- a/plugins/imklog/imklog.c
>+++ b/plugins/imklog/imklog.c
>@@ -187,7 +187,7 @@ rsRetVal imklogLogIntMsg(int priority, char *fmt, ...)
> 	va_end(ap);
> 
> 	iRet = enqMsg((uchar*)pLogMsg, (uchar*) ((iFacilIntMsg == LOG_KERN) ? "kernel:" : "imklog:"),
>-		      iFacilIntMsg, LOG_PRI(priority), NULL);
>+		      iFacilIntMsg, pri2sev(priority), NULL);
> 
> 	RETiRet;
> }
>@@ -224,10 +224,10 @@ rsRetVal Syslog(int priority, uchar *pMsg, struct timeval *tp)
> 	/* if we don't get the pri, we use whatever we were supplied */
> 
> 	/* ignore non-kernel messages if not permitted */
>-	if(bPermitNonKernel == 0 && LOG_FAC(priority) != LOG_KERN)
>+	if(bPermitNonKernel == 0 && pri2fac(priority) != LOG_KERN)
> 		FINALIZE; /* silently ignore */
> 
>-	iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", LOG_FAC(priority), LOG_PRI(priority), tp);
>+	iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", pri2fac(priority), pri2sev(priority), tp);
> 
> finalize_it:
> 	RETiRet;
>diff --git a/plugins/imsolaris/imsolaris.c b/plugins/imsolaris/imsolaris.c
>index 029de72..e0dc1ac 100644
>--- a/plugins/imsolaris/imsolaris.c
>+++ b/plugins/imsolaris/imsolaris.c
>@@ -204,8 +204,8 @@ readLog(int fd, uchar *pRcv, int iMaxLine)
> 		MsgSetInputName(pMsg, pInputName);
> 		MsgSetRawMsg(pMsg, (char*)pRcv, strlen((char*)pRcv));
> 		MsgSetHOSTNAME(pMsg, glbl.GetLocalHostName(), ustrlen(glbl.GetLocalHostName()));
>-		pMsg->iFacility = LOG_FAC(hdr.pri);
>-		pMsg->iSeverity = LOG_PRI(hdr.pri);
>+		pMsg->iFacility = pri2fac(hdr.pri);
>+		pMsg->iSeverity = pri2sev(hdr.pri);
> 		pMsg->msgFlags = NEEDS_PARSING | NO_PRI_IN_RAW;
> 		CHKiRet(submitMsg(pMsg));
> 	}
>diff --git a/plugins/imtemplate/imtemplate.c b/plugins/imtemplate/imtemplate.c
>index 0e2cac1..daa87e8 100644
>--- a/plugins/imtemplate/imtemplate.c
>+++ b/plugins/imtemplate/imtemplate.c
>@@ -245,8 +245,8 @@ CODESTARTrunInput
> 		MsgSetRawMsg(pMsg, msg);
> 		MsgSetHOSTNAME(pMsg, LocalHostName);
> 		MsgSetTAG(pMsg, "rsyslogd:");
>-		pMsg->iFacility = LOG_FAC(pri);
>-		pMsg->iSeverity = LOG_PRI(pri);
>+		pMsg->iFacility = pri2fac(pri);
>+		pMsg->iSeverity = pri2sev(pri);
> 		flags |= INTERNAL_MSG;
> 		logmsg(pMsg, flags); / * some time, CHKiRet() will work here, too [today NOT!] * /
> 		 * 
>diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c
>index 7520554..9a9ba66 100644
>--- a/plugins/imuxsock/imuxsock.c
>+++ b/plugins/imuxsock/imuxsock.c
>@@ -6,7 +6,7 @@
>  *
>  * File begun on 2007-12-20 by RGerhards (extracted from syslogd.c)
>  *
>- * Copyright 2007-2011 Rainer Gerhards and Adiscon GmbH.
>+ * Copyright 2007-2014 Rainer Gerhards and Adiscon GmbH.
>  *
>  * This file is part of rsyslog.
>  *
>@@ -658,8 +658,8 @@ SubmitMsg(uchar *pRcv, int lenRcv, lstn_t *pLstn, struct ucred *cred, struct tim
> 		++parse;
> 		++offs;
> 	} 
>-	facil = LOG_FAC(pri);
>-	sever = LOG_PRI(pri);
>+	facil = pri2fac(pri);
>+	sever = pri2sev(pri);
> 
> 	if(sever >= pLstn->ratelimitSev) {
> 		/* note: if cred == NULL, then ratelimiter == NULL as well! */
>diff --git a/runtime/msg.c b/runtime/msg.c
>index aa97dc2..8040933 100644
>--- a/runtime/msg.c
>+++ b/runtime/msg.c
>@@ -67,7 +67,7 @@ DEFobjCurrIf(net)
> static struct {
> 	uchar *pszName;
> 	short lenName;
>-} syslog_pri_names[192] = {
>+} syslog_pri_names[200] = {
> 	{ UCHAR_CONSTANT("0"), 3},
> 	{ UCHAR_CONSTANT("1"), 3},
> 	{ UCHAR_CONSTANT("2"), 3},
>@@ -259,14 +259,22 @@ static struct {
> 	{ UCHAR_CONSTANT("188"), 5},
> 	{ UCHAR_CONSTANT("189"), 5},
> 	{ UCHAR_CONSTANT("190"), 5},
>-	{ UCHAR_CONSTANT("191"), 5}
>+	{ UCHAR_CONSTANT("191"), 5},
>+	{ UCHAR_CONSTANT("192"), 5},
>+	{ UCHAR_CONSTANT("193"), 5},
>+	{ UCHAR_CONSTANT("194"), 5},
>+	{ UCHAR_CONSTANT("195"), 5},
>+	{ UCHAR_CONSTANT("196"), 5},
>+	{ UCHAR_CONSTANT("197"), 5},
>+	{ UCHAR_CONSTANT("198"), 5},
>+	{ UCHAR_CONSTANT("199"), 5}
> 	};
> 
> /*syslog facility names (as of RFC5424) */
>-static char *syslog_fac_names[24] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr",
>+static char *syslog_fac_names[LOG_NFACILITIES] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr",
> 			    	      "news", "uucp", "cron", "authpriv", "ftp", "ntp", "audit",
> 			    	      "alert", "clock", "local0", "local1", "local2", "local3",
>-			    	      "local4", "local5", "local6", "local7" };
>+			    	      "local4", "local5", "local6", "local7", "invld" };
> 
> /* table of severity names (in numerical order)*/
> static char *syslog_severity_names[8] = { "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug" };
>@@ -275,8 +283,8 @@ static char *syslog_severity_names[8] = { "emerg", "alert", "crit", "err", "warn
>  * and facility values to a numerical string... -- rgerhars, 2009-06-17
>  */
> 
>-static char *syslog_number_names[24] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14",
>-					 "15", "16", "17", "18", "19", "20", "21", "22", "23" };
>+static char *syslog_number_names[LOG_NFACILITIES] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14",
>+					 "15", "16", "17", "18", "19", "20", "21", "22", "23", "24" };
> 
> /* global variables */
> #if defined(HAVE_MALLOC_TRIM) && !defined(HAVE_ATOMIC_BUILTINS)
>@@ -685,8 +693,8 @@ static inline rsRetVal msgBaseConstruct(msg_t **ppThis)
> 	pM->bDoLock = 0;
> 	pM->bAlreadyFreed = 0;
> 	pM->iRefCount = 1;
>-	pM->iSeverity = -1;
>-	pM->iFacility = -1;
>+	pM->iSeverity = LOG_DEBUG;
>+	pM->iFacility = LOG_INVLD;
> 	pM->offAfterPRI = 0;
> 	pM->offMSG = -1;
> 	pM->iProtocolVersion = 0;
>@@ -2246,8 +2254,8 @@ char *textpri(char *pRes, size_t pResLen, int pri)
> 	assert(pRes != NULL);
> 	assert(pResLen > 0);
> 
>-	snprintf(pRes, pResLen, "%s.%s<%d>", syslog_fac_names[LOG_FAC(pri)],
>-		 syslog_severity_names[LOG_PRI(pri)], pri);
>+	snprintf(pRes, pResLen, "%s.%s<%d>", syslog_fac_names[pri2fac(pri)],
>+		 syslog_severity_names[pri2sev(pri)], pri);
> 
> 	return pRes;
> }
>diff --git a/runtime/parser.c b/runtime/parser.c
>index 180814c..e96ad11 100644
>--- a/runtime/parser.c
>+++ b/runtime/parser.c
>@@ -455,11 +455,11 @@ ParsePRI(msg_t *pMsg)
> 			}
> 			if(*msg == '>')
> 				++msg;
>-			if(pri & ~(LOG_FACMASK|LOG_PRIMASK))
>-				pri = DEFUPRI;
>+			if(pri > LOG_MAXPRI)
>+				pri = LOG_PRI_INVLD;
> 		}
>-		pMsg->iFacility = LOG_FAC(pri);
>-		pMsg->iSeverity = LOG_PRI(pri);
>+		pMsg->iFacility = pri2fac(pri);
>+		pMsg->iSeverity = pri2sev(pri);
> 		MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg);
> 	}
> 	RETiRet;
>diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
>index adcd465..2a1d2d0 100644
>--- a/runtime/rsyslog.h
>+++ b/runtime/rsyslog.h
>@@ -3,7 +3,7 @@
>  *
>  * Begun 2005-09-15 RGerhards
>  *
>- * Copyright (C) 2005-2008 by Rainer Gerhards and Adiscon GmbH
>+ * Copyright (C) 2005-2014 by Rainer Gerhards and Adiscon GmbH
>  *
>  * This file is part of the rsyslog runtime library.
>  *
>@@ -74,19 +74,58 @@
>  * #                  End Config Settings                      # *
>  * ############################################################# */
> 
>-/* portability: not all platforms have these defines, so we
>- * define them here if they are missing. -- rgerhards, 2008-03-04
>+/* make sure we uses consistent macros, no matter what the
>+ * platform gives us.
>  */
>-#ifndef LOG_MAKEPRI
>-#	define	LOG_MAKEPRI(fac, pri)	(((fac) << 3) | (pri))
>-#endif
>-#ifndef LOG_PRI
>-#	define	LOG_PRI(p)	((p) & LOG_PRIMASK)
>-#endif
>-#ifndef LOG_FAC
>-#	define	LOG_FAC(p)	(((p) & LOG_FACMASK) >> 3)
>-#endif
>+#define LOG_NFACILITIES 24+1 /* plus one for our special "invld" facility! */
>+#define LOG_MAXPRI 191	/* highest supported valid PRI value --> RFC3164, RFC5424 */
>+#undef LOG_MAKEPRI
>+#define LOG_PRI_INVLD	LOG_INVLD|LOG_DEBUG	/* PRI is invalid --> special "invld.=debug" PRI code (rsyslog-specific) */
>+
>+#define	LOG_EMERG	0	/* system is unusable */
>+#define	LOG_ALERT	1	/* action must be taken immediately */
>+#define	LOG_CRIT	2	/* critical conditions */
>+#define	LOG_ERR		3	/* error conditions */
>+#define	LOG_WARNING	4	/* warning conditions */
>+#define	LOG_NOTICE	5	/* normal but significant condition */
>+#define	LOG_INFO	6	/* informational */
>+#define	LOG_DEBUG	7	/* debug-level messages */
> 
>+#define	LOG_KERN	(0<<3)	/* kernel messages */
>+#define	LOG_USER	(1<<3)	/* random user-level messages */
>+#define	LOG_MAIL	(2<<3)	/* mail system */
>+#define	LOG_DAEMON	(3<<3)	/* system daemons */
>+#define	LOG_AUTH	(4<<3)	/* security/authorization messages */
>+#define	LOG_SYSLOG	(5<<3)	/* messages generated internally by syslogd */
>+#define	LOG_LPR		(6<<3)	/* line printer subsystem */
>+#define	LOG_NEWS	(7<<3)	/* network news subsystem */
>+#define	LOG_UUCP	(8<<3)	/* UUCP subsystem */
>+#define	LOG_CRON	(9<<3)	/* clock daemon */
>+#define	LOG_AUTHPRIV	(10<<3)	/* security/authorization messages (private) */
>+#define	LOG_FTP		(11<<3)	/* ftp daemon */
>+#define	LOG_LOCAL0	(16<<3)	/* reserved for local use */
>+#define	LOG_LOCAL1	(17<<3)	/* reserved for local use */
>+#define	LOG_LOCAL2	(18<<3)	/* reserved for local use */
>+#define	LOG_LOCAL3	(19<<3)	/* reserved for local use */
>+#define	LOG_LOCAL4	(20<<3)	/* reserved for local use */
>+#define	LOG_LOCAL5	(21<<3)	/* reserved for local use */
>+#define	LOG_LOCAL6	(22<<3)	/* reserved for local use */
>+#define	LOG_LOCAL7	(23<<3)	/* reserved for local use */
>+#define LOG_FAC_INVLD   24
>+#define	LOG_INVLD	(LOG_FAC_INVLD<<3)	/* invalid facility/PRI code */
>+
>+/* we need to use a function to avoid side-effects. This MUST guard
>+ * against invalid facility values. rgerhards, 2014-09-16
>+ */
>+static inline int pri2fac(const int pri)
>+{
>+	int fac = pri >> 3;
>+	return (fac > 23) ? LOG_FAC_INVLD : fac;
>+}
>+static inline int pri2sev(const int pri)
>+{
>+	return pri & 0x07;
>+}
> 
> /* the rsyslog core provides information about present feature to plugins
>  * asking it. Below are feature-test macros which must be used to query 
>diff --git a/runtime/rule.c b/runtime/rule.c
>index a375b05..828c244 100644
>--- a/runtime/rule.c
>+++ b/runtime/rule.c
>@@ -176,7 +176,7 @@ shouldProcessThisMessage(rule_t *pRule, msg_t *pMsg, sbool *bProcessMsg)
> 			bRet = 0;
> 		else
> 			bRet = 1;
>-		dbgprintf("testing filter, f_pmask %d, result %d\n", pRule->f_filterData.f_pmask[pMsg->iFacility], bRet);
>+		dbgprintf("tested filter, f_pmask %d, facility %d, result %d\n", pRule->f_filterData.f_pmask[pMsg->iFacility], pMsg->iFacility, bRet);
> 	} else if(pRule->f_filter_type == FILTER_EXPR) {
> 		CHKiRet(vm.Construct(&pVM));
> 		CHKiRet(vm.ConstructFinalize(pVM));
>diff --git a/runtime/srutils.c b/runtime/srutils.c
>index f420c0f..d81bdda 100644
>--- a/runtime/srutils.c
>+++ b/runtime/srutils.c
>@@ -100,6 +100,7 @@ syslogName_t	syslogFacNames[] = {
> 	{"local5",       LOG_LOCAL5},
> 	{"local6",       LOG_LOCAL6},
> 	{"local7",       LOG_LOCAL7},
>+	{"invld",        LOG_INVLD},
> 	{NULL,           -1},
> };
> 
>diff --git a/runtime/syslogd-types.h b/runtime/syslogd-types.h
>index 6947a11..8aee425 100644
>--- a/runtime/syslogd-types.h
>+++ b/runtime/syslogd-types.h
>@@ -27,9 +27,6 @@
> 
> #include "stringbuf.h"
> #include <sys/param.h>
>-#if HAVE_SYSLOG_H
>-#include <syslog.h>
>-#endif
> 
> /* we use RSTRUE/FALSE to prevent name claches with other packages */
> #define RSFALSE 0
>diff --git a/tools/syslogd.c b/tools/syslogd.c
>index 75ee96e..120a89e 100644
>--- a/tools/syslogd.c
>+++ b/tools/syslogd.c
>@@ -572,8 +572,8 @@ dbgprintf("ZZZZ: pLocalHostIPIF used!\n");
> 		pszTag[32] = '\0'; /* just to make sure... */
> 		MsgSetTAG(pMsg, pszTag, len);
> 	}
>-	pMsg->iFacility = LOG_FAC(pri);
>-	pMsg->iSeverity = LOG_PRI(pri);
>+	pMsg->iFacility = pri2fac(pri);
>+	pMsg->iSeverity = pri2sev(pri);
> 	flags |= INTERNAL_MSG;
> 	pMsg->msgFlags  = flags;
> 
>@@ -586,7 +586,7 @@ dbgprintf("ZZZZ: pLocalHostIPIF used!\n");
> 	 * supressor statement.
> 	 */
> 	if(((Debug == DEBUG_FULL || NoFork) && bErrMsgToStderr) || iConfigVerify) {
>-		if(LOG_PRI(pri) == LOG_ERR)
>+		if(pri2fac(pri) == LOG_ERR)
> 			fprintf(stderr, "rsyslogd: %s\n", msg);
> 	}
>

Actions: View | Diff

Attachments on bug 1142373: 938140 | 938141 | 938142 | 938143 | 938229 | 943495 | 943496 | 943575 | 943701 | 943702