Bug 120453
| Summary: | syslogd memory allocation error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Grubb <linux_4ever> | ||||
| Component: | sysklogd | Assignee: | Bill Nottingham <notting> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | rvokal | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.4.1-16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2004-05-03 21:57:49 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 114963 | ||||||
| Attachments: |
|
||||||
Created attachment 99250 [details]
Patch that fixes the problem
Please apply before Fedora Core 2 final.
This should be security noted for fc1, also. Worthy of note to fedora legacy - this applies to rhl9 and probably rhl7.3 noted and patched in fedora legacy https://bugzilla.fedora.us/show_bug.cgi?id=1553 Note that this only affects crunch_args, which AFAIK is only called via commandline args. So not as much of a security issue. I think you underestimate this bug. The crunch list is returned to a
global variable that is later used for strcmp's in the main select
loop. The memory just beyond the crunch list is free to be reassigned
by glibc. Eventually it will be written to and all the values change.
Around line 2056 you see this code:
while (LocalHosts[count]) {
if (!strcmp(hp->h_name, LocalHosts[count])) {
*p = '\0';
return (hp->h_name);
}
count++;
}
Guess what happens when you do a strcmp with a random number as a
pointer? With syslogd down, a lot strange activity won't get recorded.
People count on syslog to help provide an audit trail if something bad
happens.
It such a simple bug to fix...please apply the patch. Admittedly, you
have to be using the -l or -s option, but why risk it?
What I'm saying is that if it's only invoked on the commandline, then anyone maliciously invoking it already has root. A version of the patch will be applied, I'm just not seeing how it's a security vulnerability in and of itself. Fixed in 1.4.1-16. An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-348.html An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-335.html |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: During a code review it was discovered that syslogd does not allocate enough memory to store all its pointers in the crunch list. The problem code around line 1266 is this: if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) There should be parenthesis around the count+2 since multiplication otherwise takes place first. Without it, the array os not big enough and unexpected results (or core dump) may follow. Version-Release number of selected component (if applicable): sysklogd-1.4.1-14 How reproducible: Always Steps to Reproduce: Found in code review Additional info: I will attach a patch that fixes this.