Description:
logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.
A crafted config causes an out-of-bounds read in readConfigFile.
The complete ASan output:
logrotate -d $crafted_file ================================================================= ==809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000df8f at pc 0x00000050b244 bp 0x7ffd4cab50f0 sp 0x7ffd4cab50e8 READ of size 1 at 0x60200000df8f thread T0 #0 0x50b243 in readConfigFile /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969:11 #1 0x4fa61b in readConfigPath /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:578:6 #2 0x4f99a7 in readAllConfigPaths /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:645:6 #3 0x4f193e in main /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/logrotate.c:2554:6 #4 0x7f37cad0662f in __libc_start_main (/lib64/libc.so.6+0x2062f) #5 0x436988 in _start (/usr/sbin/logrotate+0x436988) 0x60200000df8f is located 1 bytes to the left of 1-byte region [0x60200000df90,0x60200000df91) allocated by thread T0 here: #0 0x4bd952 in __interceptor_malloc (/usr/sbin/logrotate+0x4bd952) #1 0x7f37cad67359 in strndup (/lib64/libc.so.6+0x81359) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969 readConfigFile Shadow bytes around the buggy address: 0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9bf0: fa[fa]01 fa fa fa 00 fa fa fa fd fd fa fa fd fa 0x0c047fff9c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9c10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa 0x0c047fff9c20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9c30: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff9c40: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==809==ABORTING
Affected version:
3.9.2
Fixed version:
N/A
Commit fix:
https://github.com/logrotate/logrotate/commit/f53ed9c968fe92ba6e50b9b394a891350503469f
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-05-05: bug discovered
2016-05-06: bug reported to upstream (github)
2016-08-03: no upstream response
2016-08-03: blog post about the issue
2016-12-12: upstream added a patch
Note:
This bug was found with American Fuzzy Lop.
Permalink:
logrotate: heap-based buffer overflow in readConfigFile (config.c)