Bug 120453 - syslogd memory allocation error
syslogd memory allocation error
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sysklogd (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
Brian Brock
:
Depends On:
Blocks: FC2Target
  Show dependency treegraph
 
Reported: 2004-04-08 17:22 EDT by Steve Grubb
Modified: 2014-03-16 22:44 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.4.1-16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-03 17:57:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch that fixes the problem (767 bytes, patch)
2004-04-08 17:24 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2004-04-08 17:22:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
During a code review it was discovered that syslogd does not allocate
enough memory to store all its pointers in the crunch list. The
problem code around line 1266 is this:

if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL)

There should be parenthesis around the count+2 since multiplication
otherwise takes place first. Without it, the array os not big enough
and unexpected results (or core dump) may follow.

Version-Release number of selected component (if applicable):
sysklogd-1.4.1-14

How reproducible:
Always

Steps to Reproduce:
Found in code review
    

Additional info:

I will attach a patch that fixes this.
Comment 1 Steve Grubb 2004-04-08 17:24:37 EDT
Created attachment 99250 [details]
Patch that fixes the problem

Please apply before Fedora Core 2 final.
Comment 2 Seth Vidal 2004-05-01 04:02:43 EDT
This should be security noted for fc1, also.
Comment 3 Seth Vidal 2004-05-01 04:11:51 EDT
Worthy of note to fedora legacy - this applies to rhl9 and probably rhl7.3
Comment 4 Seth Vidal 2004-05-01 04:37:52 EDT
noted and patched in fedora legacy
https://bugzilla.fedora.us/show_bug.cgi?id=1553
Comment 5 Bill Nottingham 2004-05-02 20:47:09 EDT
Note that this only affects crunch_args, which AFAIK is only called
via commandline args. So not as much of a security issue.
Comment 6 Steve Grubb 2004-05-03 08:57:13 EDT
I think you underestimate this bug. The crunch list is returned to a
global variable that is later used for strcmp's in the main select
loop. The memory just beyond the crunch list is free to be reassigned
by glibc. Eventually it will be written to and all the values change.

Around line 2056 you see this code:

   while (LocalHosts[count]) {
      if (!strcmp(hp->h_name, LocalHosts[count])) {
           *p = '\0';
            return (hp->h_name);
      }
      count++;
  }

Guess what happens when you do a strcmp with a random number as a
pointer? With syslogd down, a lot strange activity won't get recorded.
People count on syslog to help provide an audit trail if something bad
happens.

It such a simple bug to fix...please apply the patch. Admittedly, you
have to be using the -l or -s option, but why risk it?
Comment 7 Bill Nottingham 2004-05-03 14:39:59 EDT
What I'm saying is that if it's only invoked on the commandline, then
anyone maliciously invoking it already has root. A version of the
patch will be applied, I'm just not seeing how it's a security
vulnerability in and of itself.
Comment 8 Bill Nottingham 2004-05-03 17:57:49 EDT
Fixed in 1.4.1-16.
Comment 9 John Flanagan 2004-08-18 10:55:32 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-348.html
Comment 10 Jay Turner 2004-09-01 23:29:42 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-335.html

Note You need to log in before you can comment on or make changes to this bug.