public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "adhemerval.zanella at linaro dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/29536] New: syslog fail to create large messages Date: Mon, 29 Aug 2022 12:26:46 +0000 [thread overview] Message-ID: <bug-29536-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=29536 Bug ID: 29536 Summary: syslog fail to create large messages Product: glibc Version: 2.36 Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: adhemerval.zanella at linaro dot org CC: drepper.fsp at gmail dot com Target Milestone: --- The fallback to use a heap allocated string for large input arguments do not correctly create the syslog message. For example the following test fails: -- $ cat test.c #include <stdio.h> #include <syslog.h> int main (int argc, const char *argv[]) { const char *some_very_long_message = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla gravida sapien metus, in sagittis ipsum pellentesque ut. In dui lectus, elementum ut lacus et, mattis ullamcorper nulla. Cras vel arcu laoreet, fringilla lacus sit amet, scelerisque nisl. Suspendisse nec massa eu erat commodo mollis. Curabitur imperdiet velit id lectus laoreet auctor. Sed in enim volutpat, vulputate ipsum quis, tristique nulla. Vestibulum vitae condimentum metus, nec commodo lacus. Aliquam erat volutpat. Nunc fringilla justo at feugiat elementum. Aliquam eget nisl vel arcu molestie placerat ut non lectus. Vivamus scelerisque condimentum felis ut hendrerit. Pellentesque sit amet dui eu erat lacinia gravida nec vitae nisl. Suspendisse rhoncus sagittis lacus, pharetra porttitor libero laoreet eu. Proin scelerisque luctus blandit. Maecenas non odio sapien. Vivamus id euismod lorem, at maximus nisi. Maecenas consectetur et felis at tempus. Etiam ac laoreet sem, vitae dignissim nulla. Nulla eu pretium nulla. In nec auctor nisl. Fusce luctus vel dolor id tempus. Nunc varius nunc eros, eget mattis sapien efficitur at. Duis dolor est, vestibulum eu interdum a, interdum id augue. Donec hendrerit, mi non laoreet placerat, nunc turpis scelerisque dui, eu pulvinar dui dui facilisis diam. Curabitur sapien risus, varius in neque eget, molestie rutrum dui. Etiam dolor nulla, sollicitudin nec mauris in, blandit pretium nulla. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec lacinia mollis rutrum. Morbi aliquet tempus odio, ac euismod mi fermentum a. Duis ut facilisis tortor. Curabitur egestas nisi quis pulvinar porta. Sed consectetur interdum metus, eleifend condimentum massa congue at. Etiam vel rhoncus enim. Nullam bibendum velit ut ultricies aliquam. Maecenas in varius elit, nec sollicitudin lectus. Nulla eleifend scelerisque nulla, eu vehicula tortor vulputate vitae. In consequat vitae ipsum in sollicitudin. Nam rutrum libero mauris, nec iaculis lectus lobortis vel. Donec eget tempus nibh. Etiam egestas ultrices tortor, ac condimentum tellus ultricies in. Nulla commodo hendrerit metus nec feugiat. Donec libero tortor, posuere sit amet metus malesuada, commodo vulputate ipsum. Nam a auctor augue. Sed vel libero dui. Donec scelerisque dignissim risus, eget aliquet arcu vestibulum nec. Aliquam nec arcu vel felis sollicitudin lacinia. Curabitur eget purus nibh. Phasellus rutrum vulputate nunc, sit amet ullamcorper sem congue eu. Nam interdum nibh turpis, vehicula sagittis quam dictum vel. Curabitur dolor sem, pulvinar a velit ac, ultrices tincidunt felis. Quisque vitae mollis ipsum. Morbi quis tortor a metus iaculis elementum."; openlog ("MyTest", LOG_PERROR, LOG_DAEMON); syslog (LOG_DEBUG, "%s", some_very_long_message); closelog (); } $ gcc -Wall test.c -o test $ ./testrun.sh ./test $ -- Worse, it access invalid memory: $ ./testrun.sh --tool=valgrind ./test [...] ==62032== ==62032== Invalid read of size 1 ==62032== at 0x4936537: __vsyslog_internal (syslog.c:230) ==62032== by 0x4936955: syslog (syslog.c:90) ==62032== by 0x48011DF: main (in /home/azanella/Projects/glibc/build/x86_64-linux-gnu/test) ==62032== Address 0x4a267bf is 1 bytes before a block of size 29 alloc'd ==62032== at 0x4811899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==62032== by 0x49364AB: __vsyslog_internal (syslog.c:206) ==62032== by 0x4936955: syslog (syslog.c:90) ==62032== by 0x48011DF: main (in /home/azanella/Projects/glibc/build/x86_64-linux-gnu/test) ==62032== ==62032== Conditional jump or move depends on uninitialised value(s) ==62032== at 0x4817D19: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==62032== by 0x4885B3F: __vfprintf_internal (vfprintf-process-arg.c:397) ==62032== by 0x48A8964: __vdprintf_internal (iovdprintf.c:54) ==62032== by 0x4878FB5: dprintf (dprintf.c:30) ==62032== by 0x4936561: __vsyslog_internal (syslog.c:230) ==62032== by 0x4936955: syslog (syslog.c:90) ==62032== by 0x48011DF: main (in /home/azanella/Projects/glibc/build/x86_64-linux-gnu/test) ==62032== ==62032== ==62032== HEAP SUMMARY: ==62032== in use at exit: 0 bytes in 0 blocks ==62032== total heap usage: 9 allocs, 9 frees, 6,567 bytes allocated ==62032== ==62032== All heap blocks were freed -- no leaks are possible ==62032== ==62032== Use --track-origins=yes to see where uninitialised values come from ==62032== For lists of detected and suppressed errors, rerun with: -s ==62032== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2022-08-29 12:26 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-29 12:26 adhemerval.zanella at linaro dot org [this message] 2022-08-29 13:16 ` [Bug libc/29536] " carlos at redhat dot com 2022-08-29 16:51 ` siddhesh at sourceware dot org 2022-08-29 19:36 ` siddhesh at sourceware dot org 2022-08-30 12:02 ` adhemerval.zanella at linaro dot org 2022-08-31 11:13 ` [Bug libc/29536] syslog fail to create large messages (CVE-2022-39046) siddhesh at sourceware dot org 2022-08-31 13:19 ` adhemerval.zanella at linaro dot org 2022-09-06 13:27 ` fweimer at redhat dot com 2022-09-06 14:52 ` sjon at hortensius dot net 2022-09-06 14:58 ` siddhesh at sourceware dot org 2022-09-08 17:59 ` brunni at netestate dot de 2022-09-08 18:51 ` siddhesh at sourceware dot org 2022-09-08 18:53 ` brunni at netestate dot de 2022-09-08 18:59 ` siddhesh at sourceware dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-29536-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).