Bug 2011602

Summary: logger from util-linux incorrectly handles long messages
Product: Red Hat Enterprise Linux 8 Reporter: Paulo Andrade <pandrade>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Vojtech Eichler <veichler>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.4CC: fsumsal
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux-2.32.1-29.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2033622 (view as bug list) Environment:
Last Closed: 2022-05-10 15:30:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2033622    

Description Paulo Andrade 2021-10-06 20:43:35 UTC 
In

https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/misc-utils/logger.c?h=stable%2Fv2.32#n963

we see:

	size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
	char *const buf = xmalloc(max_usrmsg_size + 2 + 2);

since ctl->max_message_size defaults to 1024, unless the -S option is used,
a very long message will result in a very large unsigned value, causing
the malloc call to fail.

User suggests pseudo patch:

-	size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
+	size_t usrmsg_size = strlen(ctl->hdr);
+	size_t max_usrmsg_size = (ctl->max_message_size < usrmgr_size) ? usrmgr_size : ctl->max_message_size);

  Need a careful review of the code, as a few lines below there is also:

				max_usrmsg_size =
				    ctl->max_message_size - strlen(ctl->hdr);

what again might write out of bounds due to negative value as unsigned.
Comment 1 Karel Zak 2021-10-21 14:06:40 UTC 
Fixed in the upstream tree in a little bit different way (than suggested in comment #0):

https://github.com/karelzak/util-linux/commit/2fdea5a26480d46ec9445b0ea17fc984f84eecc9
https://github.com/karelzak/util-linux/commit/b0a8b8cd9c34600dda7d0503aac2dc0af3012fdc
Comment 2 Karel Zak 2021-10-21 16:55:07 UTC 
Please, ignore the previous comment. I have reverted the patch. The proper bugfix is: https://github.com/karelzak/util-linux/commit/58e4ee082bca100034791a4a74481f263bb30a25
Comment 3 Paulo Andrade 2021-11-04 12:40:20 UTC 
Just in case the above link appears broken... https://github.com/util-linux/util-linux/commit/58e4ee082bca100034791a4a74481f263bb30a25
Comment 9 errata-xmlrpc 2022-05-10 15:30:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (util-linux bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2100