Bug#841668: grok: Fix for wrong pointer aliasing in grok

Fri, 21 Oct 2016 14:37:14 -0700 

Package: grok
Version: 1.20110708.1-4.1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu zesty ubuntu-patch

Hi Stig,

While debugging a build failure of syslog-ng-incubator on s390x in Ubuntu,
I've identified a bug in the grok code related to pointer aliasing.  The
regexp_len argument to grok_pattern_find() has been defined as a size_t*,
but this pointer is then passed through to a tokyocabinet API that only
takes an int*, which leaves half of the size_t variable uninitialized on
64-bit architectures.  And on big-endian architectures, crucially, it's the
lower half of the variable that's uninitialized, eventually leading to a
crash.

The attached patch fixes this by explicitly declaring the API to be based on
an int* instead of a size_t*, and fixing the internal callers of
grok_pattern_find().  Note that this is an API change (changing the
prototype of a public function), but is not an ABI change; I'm only changing
the public declaration to match the actual behavior.  Therefore, if there
are other external users of this function which are assuming they can pass
in a size_t* to uninitialized memory and use it afterwards, those callers
will still see buggy behavior.  So you (or upstream) may wish instead to
keep the prototype as-is, and fix up the pointer aliasing within the
function.

Thanks for considering the patch!
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

diff -Nru grok-1.20110708.1/debian/patches/fix_wrong_pointer_alias.patch grok-1.20110708.1/debian/patches/fix_wrong_pointer_alias.patch
--- grok-1.20110708.1/debian/patches/fix_wrong_pointer_alias.patch	1969-12-31 16:00:00.000000000 -0800
+++ grok-1.20110708.1/debian/patches/fix_wrong_pointer_alias.patch	2016-10-21 14:05:10.000000000 -0700
@@ -0,0 +1,64 @@
+Description: fix wrong pointer alias
+ size_t * != int *, and casting one to the other without initialization is
+ a good way to get garbage data into your program, leading to crashes such
+ as the one in
+ https://launchpad.net/ubuntu/+source/syslog-ng-incubator/0.5.0-1build1/+build/11039099
+Author: Steve Langasek <steve.langa...@ubuntu.com>
+Forwarded: no
+Last-Update: 2016-10-21
+
+Index: grok-1.20110708.1/grok_pattern.c
+===================================================================
+--- grok-1.20110708.1.orig/grok_pattern.c
++++ grok-1.20110708.1/grok_pattern.c
+@@ -33,9 +33,9 @@
+ }
+ 
+ int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len,
+-                      const char **regexp, size_t *regexp_len) {
++                      const char **regexp, int *regexp_len) {
+   TCTREE *patterns = grok->patterns;
+-  *regexp = tctreeget(patterns, name, name_len, (int*) regexp_len);
++  *regexp = tctreeget(patterns, name, name_len, regexp_len);
+ 
+   grok_log(grok, LOG_PATTERNS, "Searching for pattern '%s' (%s): %.*s",
+            name, *regexp == NULL ? "not found" : "found", *regexp_len, *regexp);
+Index: grok-1.20110708.1/grok_pattern.h
+===================================================================
+--- grok-1.20110708.1.orig/grok_pattern.h
++++ grok-1.20110708.1/grok_pattern.h
+@@ -9,7 +9,7 @@
+ int grok_pattern_add(const grok_t *grok, const char *name, size_t name_len,
+                       const char *regexp, size_t regexp_len);
+ int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len,
+-                      const char **regexp, size_t *regexp_len);
++                      const char **regexp, int *regexp_len);
+ int grok_patterns_import_from_file(const grok_t *grok, const char *filename);
+ int grok_patterns_import_from_string(const grok_t *grok, const char *buffer);
+ 
+Index: grok-1.20110708.1/test/grok_pattern.test.c
+===================================================================
+--- grok-1.20110708.1.orig/test/grok_pattern.test.c
++++ grok-1.20110708.1/test/grok_pattern.test.c
+@@ -4,7 +4,7 @@
+ void test_grok_pattern_add_and_find_work(void) {
+   INIT;
+   const char *regexp = NULL;
+-  size_t len = 0;
++  int len = 0;
+ 
+   grok_pattern_add(&grok, "WORD", 5, "\\w+", 3);
+   grok_pattern_add(&grok, "TEST", 5, "TEST", 4);
+Index: grok-1.20110708.1/grokre.c
+===================================================================
+--- grok-1.20110708.1.orig/grokre.c
++++ grok-1.20110708.1/grokre.c
+@@ -183,7 +183,7 @@
+     int start, end, matchlen;
+     const char *pattern_regex;
+     int patname_len;
+-    size_t regexp_len;
++    int regexp_len;
+     int pattern_regex_needs_free = 0;
+ 
+     grok_log(grok, LOG_REGEXPAND, "% 20s: %.*s", "start of loop",
diff -Nru grok-1.20110708.1/debian/patches/series grok-1.20110708.1/debian/patches/series
--- grok-1.20110708.1/debian/patches/series	2015-01-26 01:57:27.000000000 -0800
+++ grok-1.20110708.1/debian/patches/series	2016-10-21 13:48:31.000000000 -0700
@@ -3,3 +3,4 @@
 0002-Support-GNU-Hurd-add-necessary-linker-flag.patch
 pcre-group-name.patch
 ld-as-needed.diff
+fix_wrong_pointer_alias.patch

Reply via email to