From ea218b16e880cf4d1eb9fcf7ba14cd0ad6b033df Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Wed, 7 Jun 2017 14:25:27 +0200 Subject: [PATCH 1/2] file destination: invalid read syslog-ng start a reopen_timer ivykis timer in case destination file does not exist. The cookie of the timer is set to the destination driver itself. When syslog-ng stops syslog-ng frees the memory behind the cookie, but does not stop the timer. The patch explicitely calls the cancel during deinit. Signed-off-by: Antal Nemes --- lib/logwriter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/logwriter.c b/lib/logwriter.c index 6d827cbf94..dd2a4c302a 100644 --- a/lib/logwriter.c +++ b/lib/logwriter.c @@ -1357,6 +1357,9 @@ log_writer_deinit(LogPipe *s) log_writer_stop_watches(self); iv_event_unregister(&self->queue_filled); + if (iv_timer_registered(&self->reopen_timer)) + iv_timer_unregister(&self->reopen_timer); + ml_batched_timer_unregister(&self->suppress_timer); ml_batched_timer_unregister(&self->mark_timer); From 559be1f7479757ddffdde4e41771298797ae837c Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Thu, 8 Jun 2017 10:05:40 +0200 Subject: [PATCH 2/2] journal-reader: nvtable invalid read journal-reader wants to add an already existing value to another nvtable entry: SYSLOG_IDENTIFIER to PROGRAM. _get_value_from_message borrows the memory location pointing to somewhere into nvtable. But during log_msg_set_value this location might be invalidated if nvtable realloc happens, resulting in an invalid read pointing to the freed memory of the original location of nvtable. For this sake, value is g_strdupped before passing to log_msg_set_value. Steps to reproduce: start syslog-ng with valgrind with a simple configuration containing a single system() source. Generate log using logger: logger "test" a few times. After a few trials valgrind will report the issue. Signed-off-by: Antal Nemes --- modules/systemd-journal/journal-reader.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/systemd-journal/journal-reader.c b/modules/systemd-journal/journal-reader.c index 380f544a93..95c6582424 100644 --- a/modules/systemd-journal/journal-reader.c +++ b/modules/systemd-journal/journal-reader.c @@ -224,7 +224,8 @@ static void _set_program(JournalReaderOptions *options, LogMessage *msg) { gssize value_length = 0; - const gchar *value = _get_value_from_message(options, msg, "SYSLOG_IDENTIFIER", &value_length); + /* g_strdup: referred value can change during log_msg_set_value if nvtable realloc needed */ + gchar *value = g_strdup(_get_value_from_message(options, msg, "SYSLOG_IDENTIFIER", &value_length)); if (value_length > 0) { @@ -232,9 +233,12 @@ _set_program(JournalReaderOptions *options, LogMessage *msg) } else { - value = _get_value_from_message(options, msg, "_COMM", &value_length); + value = g_strdup(_get_value_from_message(options, msg, "_COMM", &value_length)); log_msg_set_value(msg, LM_V_PROGRAM, value, value_length); } + + g_free(value); + } static void