glibc 2.36: syslog() with LOG_PERROR and a message > 1024 ends up reading invalid memory

Aleksander Morgado aleksandermj@chromium.org
Fri Aug 26 20:12:58 GMT 2022 

Hey all,

I'm debugging memory issues in ModemManager running it under valgrind
and I believe I've hit a bug in the syslog() implementation in glibc
2.36 when using LOG_PERROR.

The call triggering the invalid error is the __dprintf() call in line 230:
https://elixir.bootlin.com/glibc/glibc-2.36/source/misc/syslog.c#L230

  /* Output to stderr if requested. */
  if (LogStat & LOG_PERROR)
    __dprintf (STDERR_FILENO, "%s%s", buf + msgoff,
      "\n" + (buf[bufsize - 1] == '\n'));

If I'm reading the code right, I believe that bufsize is only set to a
value != 0 if the logic ends up using the static "bufs" buffer. If the
logic needs to allocate memory for a longer buffer, bufsize is never
initialized, so the __dprintf call above tries to access buf[-1].

Valgrind reports the problem as:

 valgrind ./test-syslog-valgrind-error
==20815== Memcheck, a memory error detector
==20815== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==20815== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==20815== Command: ./test-syslog-valgrind-error
==20815==
==20815== Invalid read of size 1
==20815==    at 0x4985E58: __vsyslog_internal (syslog.c:230)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==  Address 0x4a71baf is 1 bytes before a block of size 29 alloc'd
==20815==    at 0x4841888: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20815==    by 0x4985DCC: __vsyslog_internal (syslog.c:206)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==
==20815== Conditional jump or move depends on uninitialised value(s)
==20815==    at 0x4847D09: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20815==    by 0x48E15C7: __vfprintf_internal (vfprintf-process-arg.c:397)
==20815==    by 0x49016F9: __vdprintf_internal (iovdprintf.c:54)
==20815==    by 0x48D4D89: dprintf (dprintf.c:30)
==20815==    by 0x4985E82: __vsyslog_internal (syslog.c:230)
==20815==    by 0x4986299: syslog (syslog.c:90)
==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
==20815==

Attached is a simple tester.

Cheers

-- 
Aleksander
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-syslog-valgrind-error.c
Type: text/x-csrc
Size: 2921 bytes
Desc: not available
URL: <https://sourceware.org/pipermail/libc-alpha/attachments/20220826/c205ef0d/attachment.bin>

More information about the Libc-alpha mailing list