This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/25442] New: openlog() keep reference to ident that caller may have freed
- From: "nicolas dot cavallari at green-communications dot fr" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 22 Jan 2020 15:16:32 +0000
- Subject: [Bug libc/25442] New: openlog() keep reference to ident that caller may have freed
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=25442
Bug ID: 25442
Summary: openlog() keep reference to ident that caller may have
freed
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: nicolas.cavallari@green-communications.fr
CC: drepper.fsp at gmail dot com
Target Milestone: ---
When calling
openlog(ident, 0, 0)
glibc, instead of copying ident to a safe place, saves only the pointer.
If the memory pointed by the pointer is freed, the behavior of the program is
undefined when the syslog() function attempts to use it.
The expected output of the program below is "save the planet" "save the string"
being written in syslog. The actual result is "hack the planet" and an
use-after-free.
#include <syslog.h>
#include <string.h>
#include <stdlib.h>
int main() {
char* buf = malloc(12);
strcpy(buf, "save");
openlog(buf, 0, LOG_USER);
strcpy(buf, "hack");
syslog(LOG_CRIT, "the planet");
free(buf);
syslog(LOG_CRIT, "the string");
closelog();
return 0;
}
--
You are receiving this mail because:
You are on the CC list for the bug.