Summary: | syslog fail to create large messages (CVE-2022-39046) | ||
---|---|---|---|
Product: | glibc | Reporter: | Adhemerval Zanella <adhemerval.zanella> |
Component: | libc | Assignee: | Adhemerval Zanella <adhemerval.zanella> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | brunni, carlos, drepper.fsp, fweimer, siddhesh, sjon |
Priority: | P2 | Flags: | siddhesh:
security+
|
Version: | 2.36 | ||
Target Milestone: | 2.37 | ||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Adhemerval Zanella
2022-08-29 12:26:46 UTC
Posted to the public list: https://sourceware.org/pipermail/libc-alpha/2022-August/141707.html Doesn't seem too serious, but depending on the context of the call, the overread could be triggered remotely. OK, some more analysis on what's going on: There are two invalid reads here: __dprintf (STDERR_FILENO, "%s%s", buf + msgoff, "\n" + (buf[bufsize - 1] == '\n')); one that's a byte under the malloc'd block, through buf[bufsize - 1]. The other is a read of uninitialized memory through buf + msgoff, which will end up revealing contents of buf if it has been reused. At best it will reveal a free list pointer, which we mangle, so that's less of a problem. At worst it could be a block of interest for the attacker. The byte under the malloc'd block is less interesting because it is merely used to decide whether or not to print the '\n'. So I'm going to leave the security+ in place and file a CVE request. The fix should get backported to 2.36, where the flaw was introduced. Fixed on 2.37. Commit: commit 52a5be0df411ef3ff45c10c7c308cb92993d15b1 Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Sun Aug 28 16:52:53 2022 -0300 syslog: Fix large messages (BZ#29536) The a583b6add407c17cd change did not handle large messages that would require a heap allocation correctly, where the message itself is not take in consideration. This patch fixes it and extend the tst-syslog to check for large messages as well. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> it seems glibc 2.36 is completely unable to syslog messages longer than 1024 chars which is very likely related to this issue. This seems like a pretty major bug and possible reason to release a glibc update quicker then in 6 months Please file a bug with your distribution. The fix has been backported to the release branch. We typically don't do upstream point releases from release branches. For example, the Fedora backport is being tracked here and will eventually be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=2123395 I don't use a distribution. If it has been backported, where can I find the patch? (In reply to Michael Brunnbauer from comment #8) > I don't use a distribution. If it has been backported, where can I find the > patch? The patch is on the master and release/2.36/master branches in glibc git. Yes, but to quote a more canonical (hah!) source: https://sourceware.org/git/?p=glibc.git;a=commit;h=b0e7888d1fa2dbd2d9e1645ec8c796abf78880b9 Note that the fix introduces a regression #29544 which was fixed too: https://sourceware.org/git/?p=glibc.git;a=commit;h=645d94808aaa90fb1b20a25ff70bb50d9eb1d55b |