From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aleksandermj@chromium.org>
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332])
	by sourceware.org (Postfix) with ESMTPS id 859803850211
	for <libc-alpha@sourceware.org>; Fri, 26 Aug 2022 20:13:10 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 859803850211
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=chromium.org
Received: by mail-ot1-x332.google.com with SMTP id d18-20020a9d72d2000000b0063934f06268so1758083otk.0
        for <libc-alpha@sourceware.org>; Fri, 26 Aug 2022 13:13:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=to:subject:message-id:date:from:mime-version:from:to:cc;
        bh=PU73EokIopflhsojxfnHxdMJdYvFT/phxGgOeNzPbyE=;
        b=NBZbrBIyYa9b3WVNZxnI0mYrBHi1FNrDiP8DXmlC7Xpo3xO994cJXgscQJR5yyCSvo
         pn2uJQHW3/+WkwawBCPXiVSNsT4n1M29vtYYbHwDXoYt1Fdx7UYzZHaeL8lwfn3pKwA+
         sbJ10SsuU1F9nVY9muXVJc8bh8VYJjtY+6iUo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc;
        bh=PU73EokIopflhsojxfnHxdMJdYvFT/phxGgOeNzPbyE=;
        b=frkY5qKxnPCpEog+g48gHMOuGDm4S9d1NXSdxRD2GqFkw7clQ2VlI6OV+yZIJGYCW/
         ICkENdj4wf4kV4axMtzVeesG3+P8LdUMHnT/6PBJ8I5Og7r1Dn0JBeK52pDYCbrQKGDT
         i+b2FiD6D8UPTCRaFCav/0+ZjdKKqF8kzGEzyycslP10eTCDR31NOg8+FXI8mEbwfkja
         OXYwwUBaV9RZsqwxxhOsdx7SSjVSyLVtqaXr/kDr2v/Z9mL+dfJ/VBxnggS1Ka32rdDS
         3syOz2RYaEgX2y5xh6+H2U0ZaMw5mxR7Em4ihJNDTnCOyFiZCtElDHtxMz9Bs/GFCjl0
         dVow==
X-Gm-Message-State: ACgBeo3AZAhfGOmlBnXubZQSfDv7LZ94wy8Ea5/E8PqJa7LnXK8gife1
	yS7wosEHCYFm1JB083WHLMglIdwD11mBzeWHCtnGC6F1Z7TGyQ==
X-Google-Smtp-Source: AA6agR5aVDS+XS/0pt1mgh3m7HPGrxuYTGlwPNZbXfygYzXcxcUE42PMbHCSZaYHbyXJGZBGMMYfoONtZTHHfQYmTkA=
X-Received: by 2002:a9d:362:0:b0:637:257e:3824 with SMTP id
 89-20020a9d0362000000b00637257e3824mr1928551otv.148.1661544789548; Fri, 26
 Aug 2022 13:13:09 -0700 (PDT)
MIME-Version: 1.0
From: Aleksander Morgado <aleksandermj@chromium.org>
Date: Fri, 26 Aug 2022 22:12:58 +0200
Message-ID: <CAAFgFrXhO-NY17Vc3orP_9m19KLLxqHmFLDkWgNjkaNVOP_fRA@mail.gmail.com>
Subject: glibc 2.36: syslog() with LOG_PERROR and a message > 1024 ends up
 reading invalid memory
To: libc-alpha@sourceware.org
Content-Type: multipart/mixed; boundary="000000000000f7291a05e72a8a87"
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,JMQ_SPF_NEUTRAL,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

--000000000000f7291a05e72a8a87
Content-Type: text/plain; charset="UTF-8"

Hey all,

I'm debugging memory issues in ModemManager running it under valgrind
and I believe I've hit a bug in the syslog() implementation in glibc
2.36 when using LOG_PERROR.

The call triggering the invalid error is the __dprintf() call in line 230:
https://elixir.bootlin.com/glibc/glibc-2.36/source/misc/syslog.c#L230

  /* Output to stderr if requested. */
  if (LogStat & LOG_PERROR)
    __dprintf (STDERR_FILENO, "%s%s", buf + msgoff,
      "\n" + (buf[bufsize - 1] == '\n'));

If I'm reading the code right, I believe that bufsize is only set to a
value != 0 if the logic ends up using the static "bufs" buffer. If the
logic needs to allocate memory for a longer buffer, bufsize is never
initialized, so the __dprintf call above tries to access buf[-1].

Valgrind reports the problem as:

 valgrind ./test-syslog-valgrind-error
==20815== Memcheck, a memory error detector
==20815== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==20815== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==20815== Command: ./test-syslog-valgrind-error
==20815==
==20815== Invalid read of size 1
==20815==    at 0x4985E58: __vsyslog_internal (syslog.c:230)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==  Address 0x4a71baf is 1 bytes before a block of size 29 alloc'd
==20815==    at 0x4841888: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20815==    by 0x4985DCC: __vsyslog_internal (syslog.c:206)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==
==20815== Conditional jump or move depends on uninitialised value(s)
==20815==    at 0x4847D09: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20815==    by 0x48E15C7: __vfprintf_internal (vfprintf-process-arg.c:397)
==20815==    by 0x49016F9: __vdprintf_internal (iovdprintf.c:54)
==20815==    by 0x48D4D89: dprintf (dprintf.c:30)
==20815==    by 0x4985E82: __vsyslog_internal (syslog.c:230)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==

Attached is a simple tester.

Cheers

-- 
Aleksander

--000000000000f7291a05e72a8a87
Content-Type: text/x-csrc; charset="US-ASCII"; name="test-syslog-valgrind-error.c"
Content-Disposition: attachment; filename="test-syslog-valgrind-error.c"
Content-Transfer-Encoding: base64
Content-ID: <f_l7awl81a0>
X-Attachment-Id: f_l7awl81a0

CiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8c3lzbG9nLmg+CgppbnQgbWFpbiAoaW50IGFy
Z2MsIGNvbnN0IGNoYXIgKmFyZ3ZbXSkKewogIGNvbnN0IGNoYXIgKnNvbWVfdmVyeV9sb25nX21l
c3NhZ2UgPSAiTG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2Np
bmcgZWxpdC4gTnVsbGEgZ3JhdmlkYSBzYXBpZW4gbWV0dXMsIGluIHNhZ2l0dGlzIGlwc3VtIHBl
bGxlbnRlc3F1ZSB1dC4gSW4gZHVpIGxlY3R1cywgZWxlbWVudHVtIHV0IGxhY3VzIGV0LCBtYXR0
aXMgdWxsYW1jb3JwZXIgbnVsbGEuIENyYXMgdmVsIGFyY3UgbGFvcmVldCwgZnJpbmdpbGxhIGxh
Y3VzIHNpdCBhbWV0LCBzY2VsZXJpc3F1ZSBuaXNsLiBTdXNwZW5kaXNzZSBuZWMgbWFzc2EgZXUg
ZXJhdCBjb21tb2RvIG1vbGxpcy4gQ3VyYWJpdHVyIGltcGVyZGlldCB2ZWxpdCBpZCBsZWN0dXMg
bGFvcmVldCBhdWN0b3IuIFNlZCBpbiBlbmltIHZvbHV0cGF0LCB2dWxwdXRhdGUgaXBzdW0gcXVp
cywgdHJpc3RpcXVlIG51bGxhLiBWZXN0aWJ1bHVtIHZpdGFlIGNvbmRpbWVudHVtIG1ldHVzLCBu
ZWMgY29tbW9kbyBsYWN1cy4gQWxpcXVhbSBlcmF0IHZvbHV0cGF0LiBOdW5jIGZyaW5naWxsYSBq
dXN0byBhdCBmZXVnaWF0IGVsZW1lbnR1bS4gQWxpcXVhbSBlZ2V0IG5pc2wgdmVsIGFyY3UgbW9s
ZXN0aWUgcGxhY2VyYXQgdXQgbm9uIGxlY3R1cy4gVml2YW11cyBzY2VsZXJpc3F1ZSBjb25kaW1l
bnR1bSBmZWxpcyB1dCBoZW5kcmVyaXQuIFBlbGxlbnRlc3F1ZSBzaXQgYW1ldCBkdWkgZXUgZXJh
dCBsYWNpbmlhIGdyYXZpZGEgbmVjIHZpdGFlIG5pc2wuIFN1c3BlbmRpc3NlIHJob25jdXMgc2Fn
aXR0aXMgbGFjdXMsIHBoYXJldHJhIHBvcnR0aXRvciBsaWJlcm8gbGFvcmVldCBldS4gUHJvaW4g
c2NlbGVyaXNxdWUgbHVjdHVzIGJsYW5kaXQuIE1hZWNlbmFzIG5vbiBvZGlvIHNhcGllbi4gVml2
YW11cyBpZCBldWlzbW9kIGxvcmVtLCBhdCBtYXhpbXVzIG5pc2kuIE1hZWNlbmFzIGNvbnNlY3Rl
dHVyIGV0IGZlbGlzIGF0IHRlbXB1cy4gRXRpYW0gYWMgbGFvcmVldCBzZW0sIHZpdGFlIGRpZ25p
c3NpbSBudWxsYS4gTnVsbGEgZXUgcHJldGl1bSBudWxsYS4gSW4gbmVjIGF1Y3RvciBuaXNsLiBG
dXNjZSBsdWN0dXMgdmVsIGRvbG9yIGlkIHRlbXB1cy4gTnVuYyB2YXJpdXMgbnVuYyBlcm9zLCBl
Z2V0IG1hdHRpcyBzYXBpZW4gZWZmaWNpdHVyIGF0LiBEdWlzIGRvbG9yIGVzdCwgdmVzdGlidWx1
bSBldSBpbnRlcmR1bSBhLCBpbnRlcmR1bSBpZCBhdWd1ZS4gRG9uZWMgaGVuZHJlcml0LCBtaSBu
b24gbGFvcmVldCBwbGFjZXJhdCwgbnVuYyB0dXJwaXMgc2NlbGVyaXNxdWUgZHVpLCBldSBwdWx2
aW5hciBkdWkgZHVpIGZhY2lsaXNpcyBkaWFtLiBDdXJhYml0dXIgc2FwaWVuIHJpc3VzLCB2YXJp
dXMgaW4gbmVxdWUgZWdldCwgbW9sZXN0aWUgcnV0cnVtIGR1aS4gRXRpYW0gZG9sb3IgbnVsbGEs
IHNvbGxpY2l0dWRpbiBuZWMgbWF1cmlzIGluLCBibGFuZGl0IHByZXRpdW0gbnVsbGEuIE9yY2kg
dmFyaXVzIG5hdG9xdWUgcGVuYXRpYnVzIGV0IG1hZ25pcyBkaXMgcGFydHVyaWVudCBtb250ZXMs
IG5hc2NldHVyIHJpZGljdWx1cyBtdXMuIERvbmVjIGxhY2luaWEgbW9sbGlzIHJ1dHJ1bS4gTW9y
YmkgYWxpcXVldCB0ZW1wdXMgb2RpbywgYWMgZXVpc21vZCBtaSBmZXJtZW50dW0gYS4gRHVpcyB1
dCBmYWNpbGlzaXMgdG9ydG9yLiBDdXJhYml0dXIgZWdlc3RhcyBuaXNpIHF1aXMgcHVsdmluYXIg
cG9ydGEuIFNlZCBjb25zZWN0ZXR1ciBpbnRlcmR1bSBtZXR1cywgZWxlaWZlbmQgY29uZGltZW50
dW0gbWFzc2EgY29uZ3VlIGF0LiBFdGlhbSB2ZWwgcmhvbmN1cyBlbmltLiBOdWxsYW0gYmliZW5k
dW0gdmVsaXQgdXQgdWx0cmljaWVzIGFsaXF1YW0uIE1hZWNlbmFzIGluIHZhcml1cyBlbGl0LCBu
ZWMgc29sbGljaXR1ZGluIGxlY3R1cy4gTnVsbGEgZWxlaWZlbmQgc2NlbGVyaXNxdWUgbnVsbGEs
IGV1IHZlaGljdWxhIHRvcnRvciB2dWxwdXRhdGUgdml0YWUuIEluIGNvbnNlcXVhdCB2aXRhZSBp
cHN1bSBpbiBzb2xsaWNpdHVkaW4uIE5hbSBydXRydW0gbGliZXJvIG1hdXJpcywgbmVjIGlhY3Vs
aXMgbGVjdHVzIGxvYm9ydGlzIHZlbC4gRG9uZWMgZWdldCB0ZW1wdXMgbmliaC4gRXRpYW0gZWdl
c3RhcyB1bHRyaWNlcyB0b3J0b3IsIGFjIGNvbmRpbWVudHVtIHRlbGx1cyB1bHRyaWNpZXMgaW4u
IE51bGxhIGNvbW1vZG8gaGVuZHJlcml0IG1ldHVzIG5lYyBmZXVnaWF0LiBEb25lYyBsaWJlcm8g
dG9ydG9yLCBwb3N1ZXJlIHNpdCBhbWV0IG1ldHVzIG1hbGVzdWFkYSwgY29tbW9kbyB2dWxwdXRh
dGUgaXBzdW0uIE5hbSBhIGF1Y3RvciBhdWd1ZS4gU2VkIHZlbCBsaWJlcm8gZHVpLiBEb25lYyBz
Y2VsZXJpc3F1ZSBkaWduaXNzaW0gcmlzdXMsIGVnZXQgYWxpcXVldCBhcmN1IHZlc3RpYnVsdW0g
bmVjLiBBbGlxdWFtIG5lYyBhcmN1IHZlbCBmZWxpcyBzb2xsaWNpdHVkaW4gbGFjaW5pYS4gQ3Vy
YWJpdHVyIGVnZXQgcHVydXMgbmliaC4gUGhhc2VsbHVzIHJ1dHJ1bSB2dWxwdXRhdGUgbnVuYywg
c2l0IGFtZXQgdWxsYW1jb3JwZXIgc2VtIGNvbmd1ZSBldS4gTmFtIGludGVyZHVtIG5pYmggdHVy
cGlzLCB2ZWhpY3VsYSBzYWdpdHRpcyBxdWFtIGRpY3R1bSB2ZWwuIEN1cmFiaXR1ciBkb2xvciBz
ZW0sIHB1bHZpbmFyIGEgdmVsaXQgYWMsIHVsdHJpY2VzIHRpbmNpZHVudCBmZWxpcy4gUXVpc3F1
ZSB2aXRhZSBtb2xsaXMgaXBzdW0uIE1vcmJpIHF1aXMgdG9ydG9yIGEgbWV0dXMgaWFjdWxpcyBl
bGVtZW50dW0uIjsKCiAgb3BlbmxvZyAoIk15VGVzdCIsIExPR19QRVJST1IsIExPR19EQUVNT04p
OwogIHN5c2xvZyAoTE9HX0RFQlVHLCAiJXMiLCBzb21lX3ZlcnlfbG9uZ19tZXNzYWdlKTsKICBj
bG9zZWxvZyAoKTsKfQo=
--000000000000f7291a05e72a8a87--