From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B0BF43857424; Mon, 29 Aug 2022 19:36:22 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B0BF43857424 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1661801782; bh=8juEskrnY6DUh3TzS5oKbYVn2o49uokXQDdo/FBv1c0=; h=From:To:Subject:Date:In-Reply-To:References:From; b=L+jmPCuk4oWklZxwA+mRzxR5uBj0m3j7zMvPJiym5bNYKp3dwfYhrIddGIBD8+nu7 OV+4wFAUCTYhTJlQEFi2uTZRY5kHRCT8Esas8vY3ESHL4PZtnb0iykZrxyTnaRIXJr Rdbge8uwysqFQHPXyzrU5DW3ijsRwwz2+yCZ1eUw= From: "siddhesh at sourceware dot org" To: glibc-bugs@sourceware.org Subject: [Bug libc/29536] syslog fail to create large messages Date: Mon, 29 Aug 2022 19:36:22 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.36 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: siddhesh at sourceware dot org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D29536 --- Comment #3 from Siddhesh Poyarekar --- OK, some more analysis on what's going on: There are two invalid reads here: __dprintf (STDERR_FILENO, "%s%s", buf + msgoff, "\n" + (buf[bufsize - 1] =3D=3D '\n'));=20 one that's a byte under the malloc'd block, through buf[bufsize - 1]. The other is a read of uninitialized memory through buf + msgoff, which will en= d up revealing contents of buf if it has been reused. At best it will reveal a = free list pointer, which we mangle, so that's less of a problem. At worst it co= uld be a block of interest for the attacker. The byte under the malloc'd block is less interesting because it is merely = used to decide whether or not to print the '\n'. So I'm going to leave the security+ in place and file a CVE request. The f= ix should get backported to 2.36, where the flaw was introduced. --=20 You are receiving this mail because: You are on the CC list for the bug.=