logrotate: heap-based buffer overflow in readConfigFile (config.c)

Posted on August 3, 2016 by ago

Description:
logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.

A crafted config causes an out-of-bounds read in readConfigFile.
The complete ASan output:

logrotate -d $crafted_file
=================================================================
==809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000df8f at pc 0x00000050b244 bp 0x7ffd4cab50f0 sp 0x7ffd4cab50e8
READ of size 1 at 0x60200000df8f thread T0
    #0 0x50b243 in readConfigFile /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969:11
    #1 0x4fa61b in readConfigPath /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:578:6
    #2 0x4f99a7 in readAllConfigPaths /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:645:6
    #3 0x4f193e in main /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/logrotate.c:2554:6
    #4 0x7f37cad0662f in __libc_start_main (/lib64/libc.so.6+0x2062f)
    #5 0x436988 in _start (/usr/sbin/logrotate+0x436988)

0x60200000df8f is located 1 bytes to the left of 1-byte region [0x60200000df90,0x60200000df91)
allocated by thread T0 here:
    #0 0x4bd952 in __interceptor_malloc (/usr/sbin/logrotate+0x4bd952)
    #1 0x7f37cad67359 in strndup (/lib64/libc.so.6+0x81359)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969 readConfigFile
Shadow bytes around the buggy address:
  0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9bf0: fa[fa]01 fa fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fff9c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9c20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c30: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9c40: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==809==ABORTING

Affected version:
3.9.2

Fixed version:
N/A

Commit fix:
https://github.com/logrotate/logrotate/commit/f53ed9c968fe92ba6e50b9b394a891350503469f

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-05-05: bug discovered
2016-05-06: bug reported to upstream (github)
2016-08-03: no upstream response
2016-08-03: blog post about the issue
2016-12-12: upstream added a patch

Note:
This bug was found with American Fuzzy Lop.

Permalink:

logrotate: heap-based buffer overflow in readConfigFile (config.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.