Null pointer dereference when parsing malformed config

[asarubbo]

When syslog-ng tries to parse malformed config there is a null pointer dereference.

To see the issue, the issue need to be compiled with address sanitize.

Reproducer:

ASAN_OPTIONS=detect_odr_violation=0 syslog-ng -s -f $file
ASAN:SIGSEGV
=================================================================
==8120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7efcda07e49d bp 0x7ffd06c89ef0 sp 0x7ffd06c89980 T0)
    #0 0x7efcda07e49c in report_syntax_error /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250:3
    #1 0x7efcda1adc91 in pragma_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/pragma-grammar.c:3003:9
    #2 0x7efcda0759ba in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #3 0x7efcda0759ba in cfg_lexer_lex /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-lexer.c:822
    #4 0x7efcda19b2a7 in main_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-grammar.c:3070:16
    #5 0x7efcda06ac8b in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #6 0x7efcda06ac8b in cfg_run_parser /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:420
    #7 0x7efcda06b920 in cfg_read_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:492:13
    #8 0x7efcda101975 in main_loop_read_and_init_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/mainloop.c:450:8
    #9 0x4b8eba in main /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/syslog-ng/main.c:258:8
    #10 0x7efcd8feeaa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
    #11 0x4b7cdc in _start (/usr/sbin/syslog-ng+0x4b7cdc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250 report_syntax_error
==8120==ABORTING

Is not common to download config file over the network, so it is on your judge if it is considered a security bug and needs to have a CVE assigned.

syslog.conf.txt

[bazsi]

Thanks a lot for the detailed report. I don't think it warrants a cve but
still would be better fixed.
On May 17, 2016 5:59 PM, "Agostino Sarubbo" notifications@github.com
wrote:

When syslog-ng tries to parse malformed config there is a null pointer
dereference.

To see the issue, the issue need to be compiled with address sanitize.

Reproducer:

ASAN_OPTIONS=detect_odr_violation=0 syslog-ng -s -f $file

ASAN:SIGSEGV

==8120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7efcda07e49d bp 0x7ffd06c89ef0 sp 0x7ffd06c89980 T0)
#0 0x7efcda07e49c in report_syntax_error /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250:3
#1 0x7efcda1adc91 in pragma_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/pragma-grammar.c:3003:9
#2 0x7efcda0759ba in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
#3 0x7efcda0759ba in cfg_lexer_lex /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-lexer.c:822
#4 0x7efcda19b2a7 in main_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-grammar.c:3070:16
#5 0x7efcda06ac8b in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
#6 0x7efcda06ac8b in cfg_run_parser /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:420
#7 0x7efcda06b920 in cfg_read_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:492:13
#8 0x7efcda101975 in main_loop_read_and_init_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/mainloop.c:450:8
#9 0x4b8eba in main /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/syslog-ng/main.c:258:8
#10 0x7efcd8feeaa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
#11 0x4b7cdc in _start (/usr/sbin/syslog-ng+0x4b7cdc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250 report_syntax_error
==8120==ABORTING

Is not common to download config file over the network,
syslog.conf.txt
https://github.com/balabit/syslog-ng/files/268625/syslog.conf.txt

so it is on your judge if it is considered a security bug and needs to
have a CVE assigned.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#1055

[ihrwein]

Close to minimal configuration file:

syslog-ng.conf.txt

It's interesting that the segfault doesn't occur if the faulty line isn't the last in the file (even a newline character workarounds this issue).

[bazsi]

the problem seems to lie in the special $end token that is automatically generated by the grammar. This token does not have location information, so our error reporting function crashes.

Let me see if there's an easy solution...

[bazsi]

The referenced branch should fix this issue.