syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)

Description:
syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike) and more.

A crafted config crashes the process because of a NULL pointer access.

The complete ASan output:

syslog-ng -s -f $file
ASAN:SIGSEGV
=================================================================
==8120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7efcda07e49d bp 0x7ffd06c89ef0 sp 0x7ffd06c89980 T0)
    #0 0x7efcda07e49c in report_syntax_error /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250:3
    #1 0x7efcda1adc91 in pragma_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/pragma-grammar.c:3003:9
    #2 0x7efcda0759ba in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #3 0x7efcda0759ba in cfg_lexer_lex /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-lexer.c:822
    #4 0x7efcda19b2a7 in main_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-grammar.c:3070:16
    #5 0x7efcda06ac8b in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #6 0x7efcda06ac8b in cfg_run_parser /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:420
    #7 0x7efcda06b920 in cfg_read_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:492:13
    #8 0x7efcda101975 in main_loop_read_and_init_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/mainloop.c:450:8
    #9 0x4b8eba in main /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/syslog-ng/main.c:258:8
    #10 0x7efcd8feeaa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
    #11 0x4b7cdc in _start (/usr/sbin/syslog-ng+0x4b7cdc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250 report_syntax_error
==8120==ABORTING

Affected version:
3.7.3

Fixed version:
N/A

Commit fix:
https://github.com/balabit/syslog-ng/pull/1067/commits/a460630d310014fde914d86f6024674653557ec1

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-05-17: bug discovered
2016-05-17: bug reported to upstream
2016-05-27: upstream released a fix
2016-08-02: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.