6 vulnerabilities in logrotate binary #533

blu3sh0rk · 2023-07-11T06:08:50Z

6 vulnerabilities in logrotate binary

We found 6 vulnerabilities in logrotate binary and logrotate is complied with clang enabling ASAN.

$ git clone https://github.com/logrotate/logrotate

$ cd logrotate

$ CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure

$ make

Reproduction

Environment

OS: Ubuntu 20.04.5 LTS
Compiler: gcc version 9.4.0 or clang-12
version: commit c9e3cb069b85dd57b6747d6f6b5da6039fae5421

0x01 double-free in config.c:1846:31

$ ./logrotate -d poc1_double_free 
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file poc1_double_free
error: cannot allocate memory [readConfigFile():1851]
=================================================================
==1305022==ERROR: AddressSanitizer: attempting double-free on 0x602000000650 in thread T0:
    #0 0x4988f9 in realloc (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9)
    #1 0x4d6c11 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:1846:31
    #2 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #3 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #4 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #5 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41d71d in _start (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x41d71d)

0x602000000650 is located 0 bytes inside of 8-byte region [0x602000000650,0x602000000658)
freed by thread T0 here:
    #0 0x4988f9 in realloc (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9)
    #1 0x4d6c11 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:1846:31
    #2 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #3 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #4 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #5 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4988f9 in realloc (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9)
    #1 0x4d6c11 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:1846:31
    #2 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #3 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #4 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #5 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9) in realloc
==1305022==ABORTING

poc1:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc1_double_free

IMPACT

Potentially causing DoS and RCE

0x02 stack-buffer-overflow in config.c:1826

$ ./logrotate -d ./poc2_stack_overflow                                              
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file ./poc2_stack_overflow
warning: ./poc2_stack_overflow:1 unknown option 'creargFFFFFFnFFFFF' -- ignoring line
warning: ./poc2_stack_overflow:2 unknown option 'tab' -- ignoring line
warning: ./poc2_stack_overflow:3 unknown option 'tab' -- ignoring line
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1305306==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fe978 (pc 0x7ffff7d4af38 bp 0x7fffff7ffea0 sp 0x7fffff7fe3b0 T0)
    #0 0x7ffff7d4af38 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9
    #1 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #2 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #3 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #4 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #5 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #6 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #7 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #8 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #9 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #10 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #11 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #12 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #13 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #14 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #15 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #16 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #17 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #18 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #19 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #20 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #21 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #22 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #23 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #24 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #25 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #26 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #27 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #28 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #29 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #30 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #31 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #32 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #33 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #34 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #35 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #36 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #37 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #38 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #39 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #40 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #41 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #42 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #43 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #44 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #45 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #46 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #47 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #48 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #49 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #50 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #51 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #52 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #53 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #54 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #55 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #56 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #57 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #58 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #59 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #60 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #61 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #62 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #63 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #64 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #65 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #66 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #67 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #68 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #69 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #70 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #71 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #72 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #73 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #74 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #75 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #76 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #77 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #78 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #79 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #80 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #81 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #82 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #83 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #84 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #85 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #86 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #87 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #88 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #89 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #90 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #91 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #92 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #93 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #94 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #95 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #96 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #97 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #98 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #99 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #100 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #101 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #102 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #103 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #104 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #105 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #106 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #107 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #108 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #109 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #110 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #111 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #112 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #113 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #114 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #115 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #116 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #117 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #118 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #119 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #120 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #121 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #122 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #123 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #124 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #125 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #126 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #127 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #128 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #129 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #130 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #131 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #132 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #133 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #134 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #135 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #136 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #137 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #138 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #139 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #140 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #141 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #142 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #143 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #144 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #145 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #146 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #147 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #148 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #149 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #150 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #151 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #152 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #153 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #154 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #155 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #156 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #157 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #158 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #159 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #160 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #161 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #162 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #163 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #164 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #165 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #166 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #167 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #168 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #169 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #170 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #171 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #172 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #173 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #174 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #175 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #176 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #177 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #178 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #179 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #180 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #181 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #182 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #183 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #184 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #185 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #186 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #187 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #188 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #189 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #190 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #191 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #192 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #193 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #194 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #195 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #196 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #197 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #198 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #199 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #200 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #201 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #202 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #203 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #204 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #205 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #206 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #207 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #208 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #209 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #210 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #211 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #212 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #213 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #214 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #215 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #216 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #217 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #218 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #219 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #220 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #221 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #222 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #223 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #224 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #225 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #226 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #227 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #228 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #229 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #230 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #231 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #232 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #233 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #234 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #235 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #236 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #237 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #238 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #239 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #240 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #241 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #242 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #243 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #244 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #245 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #246 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #247 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14
    #248 0x7ffff7d4a602 in glob64 /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:584:14

SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
==1305306==ABORTING

poc2:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc2_stack_overflow
gdb backtrace

#1101 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffd3ed0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1102 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffd5e10 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1103 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffd7d50 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1104 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffd9ca0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1105 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffdbbf0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1106 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffddb40 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1107 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffdfa90 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1108 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffe19e0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1109 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffe3930 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1110 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffe5880 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1111 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffe77d0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1112 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffe9720 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1113 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffeb670 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1114 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffed5c0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1115 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7ffffffef510 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1116 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7fffffff1460 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1117 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7fffffff33b0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1118 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7fffffff5300 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1119 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7fffffff7250 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1120 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=pattern@entry=0x7fffffff91b0 "///////\032", '/' <repeats 192 times>..., flags=flags@entry=12306, errfunc=errfunc@entry=0x4dc390 <globerr>, pglob=pglob@entry=0x7fffffffbc00) at ../posix/glob.c:584
#1121 0x00007ffff7d4a603 in __glob_lstat_compat (pattern=<optimized out>, flags=12304, errfunc=<optimized out>, pglob=0x7fffffffbc00) at ../posix/glob.c:584
#1122 0x0000000000441f39 in glob ()
#1123 0x00000000004d6961 in readConfigFile (configFile=0x603000000070 "./poc2_stack_overflow", defConfig=0x7fffffffd760) at config.c:1826
#1124 0x00000000004ca6ec in readConfigPath (path=0x603000000070 "./poc2_stack_overflow", defConfig=0x7fffffffd760) at config.c:765
#1125 0x00000000004c9a38 in readAllConfigPaths (paths=0x603000000010) at config.c:844
#1126 0x00000000004dfdd9 in main (argc=3, argv=0x7fffffffe268) at logrotate.c:3239

IMPACT

Potentially causing DoS or RCE

0x03 double free in config.c:503:5

./logrotate -df ./poc3_double_free                                                      
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file ./poc3_double_free
error: ./poc3_double_free:1, unexpected text after }
error: cannot allocate memory [readConfigFile():1851]
error: ./poc3_double_free:3 glob failed for /*/*/$d cR  h scripto rotate 1comcReg/: Permission denied
removing last 1 log configs
=================================================================
==1305365==ERROR: AddressSanitizer: attempting double-free on 0x602000000810 in thread T0:
    #0 0x498372 in free (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x498372)
    #1 0x4c9bd0 in free_2d_array /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:503:5
    #2 0x4ca8ed in freeLogInfo /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:574:5
    #3 0x4dd524 in removeLogInfo /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:617:5
    #4 0x4dc642 in freeTailLogs /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:628:9
    #5 0x4d9886 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:2181:9
    #6 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #7 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #8 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #9 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41d71d in _start (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x41d71d)

0x602000000810 is located 0 bytes inside of 8-byte region [0x602000000810,0x602000000818)
freed by thread T0 here:
    #0 0x4988f9 in realloc (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9)
    #1 0x4d6c11 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:1846:31
    #2 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #3 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #4 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #5 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4988f9 in realloc (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x4988f9)
    #1 0x4d6c11 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:1846:31
    #2 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #3 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #4 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #5 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x498372) in free
==1305365==ABORTING

**poc3 **:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc3_double_free

IMPACT

Potentially causing DoS and RCE

0x04 segv in config.c:2093:32

$ ./logrotate -d ./poc4_segv                                                             
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file ./poc4_segv
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1305386==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff4eb5fff (pc 0x0000004d9170 bp 0x7fffffffd3b0 sp 0x7fffffffb9e0 T0)
==1305386==The signal is caused by a READ memory access.
    #0 0x4d9170 in readConfigFile /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:2093:32
    #1 0x4ca6eb in readConfigPath /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:765:13
    #2 0x4c9a37 in readAllConfigPaths /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:844:13
    #3 0x4dfdd8 in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3239:9
    #4 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d71d in _start (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x41d71d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/blu3sh0rk/Fuzz/debug/logrotate/config.c:2093:32 in readConfigFile
==1305386==ABORTING

poc4:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc4_segv

IMPACT

Potentially causing DoS

0x05 stack-buffer-overflow in logrotate.c:1836:20 in prerotateSingleLog

./logrotate -df poc5_stack_overflow                                                     
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file poc5_stack_overflow
error: poc5_stack_overflow:1 duplicate log entry for missing
warning: poc5_stack_overflow:1 unknown option 'ict' -- ignoring line
warning: poc5_stack_overflow:4 unknown option 'a' -- ignoring line
error: poc5_stack_overflow:5 keyword 't' not properly separated, found 0
error: found error in /*
                        �/*
                           �DI
                              � missing @ hxt
R  missing, skipping
Reading state from file: /var/lib/logrotate.status
error: error opening state file /var/lib/logrotate.status; assuming empty state: Permission denied
Allocating hash table for state file, size 64 entries

Handling 1 logs

rotating pattern: /*
                    �/*
                       �DI
                          � missing @ hxt
R  missing forced from command line empty log files are rotated, no old logs will be kept
considering log /bin
Creating new state
  log /bin is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib
Creating new state
  log /lib is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib32
Creating new state
  log /lib32 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib64
Creating new state
  log /lib64 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /libx32
Creating new state
  log /libx32 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /mmkv.default
Creating new state
  Now: 2023-07-11 13:41
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log /mmkv.default.crc
Creating new state
  Now: 2023-07-11 13:41
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log /sbin
Creating new state
  log /sbin is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /swapfile
Creating new state
  Now: 2023-07-11 13:41
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log �/*
error: stat of �/* failed: No such file or directory
Creating new state
considering log �DI
error: stat of �DI failed: No such file or directory
Creating new state
considering log �
error: stat of � failed: No such file or directory
Creating new state
considering log missing
Creating new state
  Now: 2023-07-11 13:41
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log @
error: stat of @ failed: No such file or directory
Creating new state
considering log hxt
error: stat of hxt failed: No such file or directory
Creating new state
considering log R
error: stat of R failed: No such file or directory
Creating new state
rotating log /mmkv.default, log->rotateCount is 0
error: Date format -%*
                      �/*
                         �DI
                            � missing @ *
                                         �DI
                                            �mmmmmmmmmmmmmmmnmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm DIR&gmi�sing { is OKate 2 is too long
=================================================================
==1305405==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc1f0 at pc 0x0000004ee960 bp 0x7fffffffbff0 sp 0x7fffffffbfe8
WRITE of size 1 at 0x7fffffffc1f0 thread T0
    #0 0x4ee95f in prerotateSingleLog /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1836:20
    #1 0x4e4c7d in rotateLogSet /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:2513:36
    #2 0x4e000e in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3255:15
    #3 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41d71d in _start (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x41d71d)

Address 0x7fffffffc1f0 is located in stack of thread T0 at offset 496 in frame
    #0 0x4ec56f in prerotateSingleLog /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1636

  This frame has 14 object(s):
    [32, 88) 'now' (line 1637)
    [128, 136) 'glob_pattern' (line 1641)
    [160, 232) 'globResult' (line 1642)
    [272, 336) 'dext_str' (line 1647)
    [368, 496) 'dformat' (line 1648) <== Memory access at offset 496 overflows this variable
    [528, 656) 'dext_pattern' (line 1649)
    [688, 832) 'sbprev' (line 1876)
    [896, 1040) 'sbprev341' (line 1895)
    [1104, 1112) 'oldName342' (line 1896)
    [1136, 1280) 'fst_buf' (line 1927)
    [1344, 1352) 'oldName502' (line 1989)
    [1376, 1520) 'fst_buf586' (line 2037)
    [1584, 1592) 'destFile' (line 2083)
    [1616, 1760) 'fst_buf652' (line 2084)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1836:20 in prerotateSingleLog
Shadow bytes around the buggy address:
  0x10007fff77e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff77f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7800: f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
  0x10007fff7810: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2
  0x10007fff7820: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
=>0x10007fff7830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
  0x10007fff7840: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7850: 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7860: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff7870: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7880: f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1305405==ABORTING

poc5:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc5_stack_overflow

IMPACT

Potentially causing DoS and RCE

0x06 stack-buffer-overflow in logrotate.c:1830:28 in prerotateSingleLog

./logrotate -df poc6_stack_overflow                                                     
warning: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file poc6_stack_overflow
error: poc6_stack_overflow:1 duplicate log entry for �DI
warning: poc6_stack_overflow:1 unknown option 'ixt' -- ignoring line
Reading state from file: /var/lib/logrotate.status
error: error opening state file /var/lib/logrotate.status; assuming empty state: Permission denied
Allocating hash table for state file, size 64 entries

Handling 1 logs

rotating pattern: /*
                    �/*
                       �DI
                          �*
                            �DI
                               � mkssing forced from command line empty log files are rotated, no old logs will be kept
considering log /bin
Creating new state
  log /bin is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib
Creating new state
  log /lib is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib32
Creating new state
  log /lib32 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /lib64
Creating new state
  log /lib64 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /libx32
Creating new state
  log /libx32 is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /mmkv.default
Creating new state
  Now: 2023-07-11 13:42
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log /mmkv.default.crc
Creating new state
  Now: 2023-07-11 13:42
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log /sbin
Creating new state
  log /sbin is symbolic link. Rotation of symbolic links is not allowed to avoid security issues -- skipping.
considering log /swapfile
Creating new state
  Now: 2023-07-11 13:42
  Last rotated at 2023-07-11 13:00
  log needs rotating
considering log �/*
error: stat of �/* failed: No such file or directory
Creating new state
considering log �DI
error: stat of �DI failed: No such file or directory
Creating new state
considering log �*
error: stat of �* failed: No such file or directory
Creating new state
considering log �
error: stat of � failed: No such file or directory
Creating new state
considering log mkssing
error: stat of mkssing failed: No such file or directory
Creating new state
rotating log /mmkv.default, log->rotateCount is 0
=================================================================
==1305427==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc1f0 at pc 0x0000004ee80a bp 0x7fffffffbff0 sp 0x7fffffffbfe8
WRITE of size 1 at 0x7fffffffc1f0 thread T0
    #0 0x4ee809 in prerotateSingleLog /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1830:28
    #1 0x4e4c7d in rotateLogSet /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:2513:36
    #2 0x4e000e in main /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:3255:15
    #3 0x7ffff7c0d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41d71d in _start (/home/blu3sh0rk/Fuzz/debug/logrotate/logrotate+0x41d71d)

Address 0x7fffffffc1f0 is located in stack of thread T0 at offset 496 in frame
    #0 0x4ec56f in prerotateSingleLog /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1636

  This frame has 14 object(s):
    [32, 88) 'now' (line 1637)
    [128, 136) 'glob_pattern' (line 1641)
    [160, 232) 'globResult' (line 1642)
    [272, 336) 'dext_str' (line 1647)
    [368, 496) 'dformat' (line 1648) <== Memory access at offset 496 overflows this variable
    [528, 656) 'dext_pattern' (line 1649)
    [688, 832) 'sbprev' (line 1876)
    [896, 1040) 'sbprev341' (line 1895)
    [1104, 1112) 'oldName342' (line 1896)
    [1136, 1280) 'fst_buf' (line 1927)
    [1344, 1352) 'oldName502' (line 1989)
    [1376, 1520) 'fst_buf586' (line 2037)
    [1584, 1592) 'destFile' (line 2083)
    [1616, 1760) 'fst_buf652' (line 2084)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/blu3sh0rk/Fuzz/debug/logrotate/logrotate.c:1830:28 in prerotateSingleLog
Shadow bytes around the buggy address:
  0x10007fff77e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff77f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7800: f1 f1 f1 f1 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
  0x10007fff7810: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2
  0x10007fff7820: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
=>0x10007fff7830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
  0x10007fff7840: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7850: 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7860: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff7870: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7880: f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1305427==ABORTING

poc6:https://github.com/GGb0ndQAQ/POC/blob/main/logrotate/poc6_stack_overflow

IMPACT

Potentially causing DoS and RCE

The text was updated successfully, but these errors were encountered:

kdudka · 2023-07-11T07:06:34Z

@blu3sh0rk Thank you for reporting the issues! We prefer issues with potential security impact to be reported off the public issue tracker. In this specific case, it is not a big deal because Denial of Service (DoS) or Remote Code Execution (RCE) with logrotate is trivial if its config file is already under your control. That is, you can configure logroate to execute whatever you want even if we fix all the issues you reported. Anyway, thank you for providing all the details and reproducers. We will have a look how to make logrotate's code more robust.

cgzones · 2023-07-12T20:04:08Z

Thanks @blu3sh0rk for finding and reporting these issues.
I was able to reproduce them by fuzzing logrotate in debug mode.
They should be fixed by the commits in #534.
I agree with @kdudka that the impact is rather low since being able to control the logrotate configuration files is equivalent to having root access (due to the script directives) and logrotate checks configuration files having sane ownership and permissions set.

Poc 0x02 seems to be an issue in the glob(3) implementation of glibc, since the man page does not mention any limitations on the supported input or offers a flag for secure operations on user controlled input. Do you mind reporting it against glibc?

blu3sh0rk changed the title ~~5 vulnerabilities in logrotate binary~~ 6 vulnerabilities in logrotate binary Jul 11, 2023

cgzones mentioned this issue Jul 12, 2023

Memory corruption issues on crafted configuration files #534

Merged

blu3sh0rk closed this as completed Aug 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

6 vulnerabilities in logrotate binary #533

6 vulnerabilities in logrotate binary #533

blu3sh0rk commented Jul 11, 2023 •

edited

kdudka commented Jul 11, 2023

cgzones commented Jul 12, 2023

6 vulnerabilities in logrotate binary #533

6 vulnerabilities in logrotate binary #533

Comments

blu3sh0rk commented Jul 11, 2023 • edited

6 vulnerabilities in logrotate binary

Reproduction

Environment

0x01 double-free in config.c:1846:31

IMPACT

0x02 stack-buffer-overflow in config.c:1826

IMPACT

0x03 double free in config.c:503:5

IMPACT

0x04 segv in config.c:2093:32

IMPACT

0x05 stack-buffer-overflow in logrotate.c:1836:20 in prerotateSingleLog

IMPACT

0x06 stack-buffer-overflow in logrotate.c:1830:28 in prerotateSingleLog

IMPACT

kdudka commented Jul 11, 2023

cgzones commented Jul 12, 2023

blu3sh0rk commented Jul 11, 2023 •

edited