From nobody@FreeBSD.org  Sat Mar 26 18:00:53 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3AB7316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 26 Mar 2005 18:00:53 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1CB3143D54
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 26 Mar 2005 18:00:53 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j2QI0q7H011960
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 26 Mar 2005 18:00:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j2QI0qWa011959;
	Sat, 26 Mar 2005 18:00:52 GMT
	(envelope-from nobody)
Message-Id: <200503261800.j2QI0qWa011959@www.freebsd.org>
Date: Sat, 26 Mar 2005 18:00:52 GMT
From: Shuichi KITAGUCHI <kit@ysnb.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: syslogd may accept illegal facility number from remote.
X-Send-Pr-Version: www-2.3

>Number:         79260
>Category:       bin
>Synopsis:       syslogd may accept illegal facility number from remote.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 26 18:10:02 GMT 2005
>Closed-Date:    Mon Apr 18 12:13:09 GMT 2005
>Last-Modified:  Mon Apr 18 12:13:09 GMT 2005
>Originator:     Shuichi KITAGUCHI
>Release:        6-CURRENT (but all releases may affected)
>Organization:
>Environment:
FreeBSD rhea.k.ysnb.net 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Sat Mar 19 22:27:19 JST 2005     root@rhea.k.ysnb.net:/spool/sys/obj/data/sys/src/sys/RHEA  i386

>Description:
syslogd can accept priority number which larger than LOG_NFACILITIES from remote host. but in struct filed, member variable f_pmask array and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd access invalid address in logmsg() when facility is larger than LOG_NFACILITIES.
>How-To-Repeat:
send syslog message which facility is larger than LOG_NFACILITIES from remote host.
>Fix:
I think following patch should fix this problem.

--- syslogd.c.old	Mon Mar 21 22:19:01 2005
+++ syslogd.c	Sun Mar 27 02:44:07 2005
@@ -918,6 +918,12 @@
 		fac = LOG_FAC(pri);
 	prilev = LOG_PRI(pri);
 
+	/* check maximum facility number */
+	if (fac > LOG_NFACILITIES){
+		(void)sigsetmask(omask);
+		return;
+	}
+
 	/* extract program name */
 	for (i = 0; i < NAME_MAX; i++) {
 		if (!isprint(msg[i]) || msg[i] == ':' || msg[i] == '[' ||

>Release-Note:
>Audit-Trail:

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Shuichi KITAGUCHI <kit@ysnb.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/79260: syslogd may accept illegal facility number from remote.
Date: Sat, 26 Mar 2005 21:01:29 +0100

 --KsGdsel6WgEHnImy
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2005.03.26 18:00:52 +0000, Shuichi KITAGUCHI wrote:
 
 > syslogd can accept priority number which larger than LOG_NFACILITIES
 > from remote host. but in struct filed, member variable f_pmask array
 > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
 > access invalid address in logmsg() when facility is larger than
 > LOG_NFACILITIES.
 
 Have you looked at what the implications of this is, mainly can you
 crash syslogd due to this bug?
 
 --=20
 Simon L. Nielsen
 
 --KsGdsel6WgEHnImy
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCRb+Sh9pcDSc1mlERAtNgAJoCGDwMqqgXv5pwQ2aGeNe/NvpF+QCfftXV
 huaaCZgoIr8d0OLNaqIWjGA=
 =HujK
 -----END PGP SIGNATURE-----
 
 --KsGdsel6WgEHnImy--
Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Mar 28 10:29:12 GMT 2005 
Responsible-Changed-Why:  
Take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79260 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: "Simon L. Nielsen" <simon@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: bin/79260: syslogd may accept illegal facility number from remote.
Date: Mon, 28 Mar 2005 14:27:01 +0400

 On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote:
 S>  > from remote host. but in struct filed, member variable f_pmask array
 S>  > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
 S>  > access invalid address in logmsg() when facility is larger than
 S>  > LOG_NFACILITIES.
 S>  
 S>  Have you looked at what the implications of this is, mainly can you
 S>  crash syslogd due to this bug?
 
 No, it is impossible to crash syslogd exploiting this bug. We have a magic
 constant 0x3f8, which is anded with facility, so fac can't overflow over 127.
 f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field f_un,
 which is MAXPATHLEN bytes long. That's why we will never read memory outside of
 struct filed.
 
 However, bug is bug, so I'm going to fix it. Thanks, Shuichi!
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Mon Mar 28 11:00:05 GMT 2005 
State-Changed-Why:  
Commited to HEAD, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79260 

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>,
	freebsd-gnats-submit@freebsd.org, freebsd-bugs@freebsd.org
Cc:  
Subject: Re: bin/79260: syslogd may accept illegal facility number from remote.
Date: Mon, 28 Mar 2005 14:10:38 +0200

 --XsQoSWH+UP9D9v3l
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2005.03.28 14:27:01 +0400, Gleb Smirnoff wrote:
 > On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote:
 > S>  > from remote host. but in struct filed, member variable f_pmask array
 > S>  > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
 > S>  > access invalid address in logmsg() when facility is larger than
 > S>  > LOG_NFACILITIES.
 > S> =20
 > S>  Have you looked at what the implications of this is, mainly can you
 > S>  crash syslogd due to this bug?
 >=20
 > No, it is impossible to crash syslogd exploiting this bug. We have a magic
 > constant 0x3f8, which is anded with facility, so fac can't overflow over =
 127.
 > f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field=
  f_un,
 > which is MAXPATHLEN bytes long. That's why we will never read memory outs=
 ide of
 > struct filed.
 
 OK, great.  Thanks for looking into this!
 
 --=20
 Simon L. Nielsen
 
 --XsQoSWH+UP9D9v3l
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCR/Q9h9pcDSc1mlERAsVqAKDLtHUpwyr9Z4dK67W31miVjhGl1gCcCTeN
 qT5cIaGwQHnXwb7W5jW/nzs=
 =XlI3
 -----END PGP SIGNATURE-----
 
 --XsQoSWH+UP9D9v3l--
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Mon Apr 18 12:12:56 GMT 2005 
State-Changed-Why:  
Merged. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79260 
>Unformatted:
