glibc 2.36: syslog() with LOG_PERROR and a message > 1024 ends up reading invalid memory

Adhemerval Zanella Netto adhemerval.zanella@linaro.org
Fri Aug 26 21:49:05 GMT 2022 


On 26/08/22 17:12, Aleksander Morgado via Libc-alpha wrote:
> Hey all,
> 
> I'm debugging memory issues in ModemManager running it under valgrind
> and I believe I've hit a bug in the syslog() implementation in glibc
> 2.36 when using LOG_PERROR.
> 
> The call triggering the invalid error is the __dprintf() call in line 230:
> https://elixir.bootlin.com/glibc/glibc-2.36/source/misc/syslog.c#L230
> 
>   /* Output to stderr if requested. */
>   if (LogStat & LOG_PERROR)
>     __dprintf (STDERR_FILENO, "%s%s", buf + msgoff,
>       "\n" + (buf[bufsize - 1] == '\n'));
> 
> If I'm reading the code right, I believe that bufsize is only set to a
> value != 0 if the logic ends up using the static "bufs" buffer. If the
> logic needs to allocate memory for a longer buffer, bufsize is never
> initialized, so the __dprintf call above tries to access buf[-1].
> 
> Valgrind reports the problem as:
> 
>  valgrind ./test-syslog-valgrind-error
> ==20815== Memcheck, a memory error detector
> ==20815== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==20815== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
> ==20815== Command: ./test-syslog-valgrind-error
> ==20815==
> ==20815== Invalid read of size 1
> ==20815==    at 0x4985E58: __vsyslog_internal (syslog.c:230)
> ==20815==    by 0x4986299: syslog (syslog.c:90)
> ==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
> ==20815==  Address 0x4a71baf is 1 bytes before a block of size 29 alloc'd
> ==20815==    at 0x4841888: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==20815==    by 0x4985DCC: __vsyslog_internal (syslog.c:206)
> ==20815==    by 0x4986299: syslog (syslog.c:90)
> ==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
> ==20815==
> ==20815== Conditional jump or move depends on uninitialised value(s)
> ==20815==    at 0x4847D09: strlen (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==20815==    by 0x48E15C7: __vfprintf_internal (vfprintf-process-arg.c:397)
> ==20815==    by 0x49016F9: __vdprintf_internal (iovdprintf.c:54)
> ==20815==    by 0x48D4D89: dprintf (dprintf.c:30)
> ==20815==    by 0x4985E82: __vsyslog_internal (syslog.c:230)
> ==20815==    by 0x4986299: syslog (syslog.c:90)
> ==20815==    by 0x1091AB: main (in /home/aleksander/test-syslog-valgrind-error)
> ==20815==
> 
> Attached is a simple tester.
> 
> Cheers
> 

Thanks, in fact this is not the only issue, the message is not log for large buffers.
I will take of it, I should have added tests for large buffers on tst-syslog as well.

More information about the Libc-alpha mailing list