Description:
syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike) and more.
A crafted config crashes the process because of a NULL pointer access.
The complete ASan output:
syslog-ng -s -f $file
ASAN:SIGSEGV
=================================================================
==8120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7efcda07e49d bp 0x7ffd06c89ef0 sp 0x7ffd06c89980 T0)
#0 0x7efcda07e49c in report_syntax_error /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250:3
#1 0x7efcda1adc91 in pragma_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/pragma-grammar.c:3003:9
#2 0x7efcda0759ba in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
#3 0x7efcda0759ba in cfg_lexer_lex /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-lexer.c:822
#4 0x7efcda19b2a7 in main_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-grammar.c:3070:16
#5 0x7efcda06ac8b in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
#6 0x7efcda06ac8b in cfg_run_parser /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:420
#7 0x7efcda06b920 in cfg_read_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:492:13
#8 0x7efcda101975 in main_loop_read_and_init_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/mainloop.c:450:8
#9 0x4b8eba in main /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/syslog-ng/main.c:258:8
#10 0x7efcd8feeaa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
#11 0x4b7cdc in _start (/usr/sbin/syslog-ng+0x4b7cdc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250 report_syntax_error
==8120==ABORTING
Affected version:
3.7.3
Fixed version:
N/A
Commit fix:
https://github.com/balabit/syslog-ng/pull/1067/commits/a460630d310014fde914d86f6024674653557ec1
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-05-17: bug discovered
2016-05-17: bug reported to upstream
2016-05-27: upstream released a fix
2016-08-02: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)