Bug#888792: libgpm2: Segfault due to malformed syslog format statement

Mon, 29 Jan 2018 15:46:03 -0800 

Package: libgpm2
Version: 1.20.7-4
Severity: normal
Tags: patch


When a condition occurs that causes gpm_report to be called, a segfault
occurs when writing to syslog.  This is due to the syslog format string
being wrapped in single quotes instead of double quotes, thus being
interpreted as a character instead of a string.  Since syslog expects a
char string, the "single character" is taken as a 16-byte memory address
and results in an invalid memory access attempt.


Sample backtrace:

#0  0x000003fffda24408 in ?? () from /lib/s390x-linux-gnu/libc.so.6
#1  0x000003fffd9da57e in vfprintf () from /lib/s390x-linux-gnu/libc.so.6
#2  0x000003fffda99ae2 in __vfprintf_chk () from /lib/s390x-linux-gnu/libc.so.6
#3  0x000003fffda81ab6 in __vsyslog_chk () from /lib/s390x-linux-gnu/libc.so.6
#4  0x000003fffda81fb8 in __syslog_chk () from /lib/s390x-linux-gnu/libc.so.6
#5  0x000003fffdc04700 in syslog (__fmt=0x2573 <error: Cannot access memory at 
address 0x2573>, __pri=3)
    at /usr/include/s390x-linux-gnu/bits/syslog.h:31
#6  gpm_report (line=line@entry=239, file=file@entry=0x3fffdc05042 
"lib/liblow.c", stat=stat@entry=4, 
    text=text@entry=0x3fffdc05008 "unable to open gpm console, check your /dev 
filesystem!\n") at lib/report-lib.c:50
#7  0x000003fffdc0298e in Gpm_Open (conn=conn@entry=0x1002e72fc <gpm_connect>, 
flag=<optimized out>)
    at lib/liblow.c:239
#8  0x000003fffdc02c16 in Gpm_Open (conn=conn@entry=0x1002e72fc <gpm_connect>, 
flag=flag@entry=0) at lib/liblow.c:416
#9  0x0000000100168e06 in gpm_open () at os_unix.c:6946
#10 mch_setmouse (on=<optimized out>) at os_unix.c:3660
#11 0x00000001001f8304 in settmode (tmode=<optimized out>) at term.c:3357
#12 0x0000000100243306 in vim_main2 () at main.c:676
#13 0x0000000100039178 in main (argc=<optimized out>, argv=<optimized out>) at 
main.c:429


A patch attached for your convenience.

diff -Nuar 
gpm-1.20.7.orig/debian/patches/092_fix-format-not-a-string-literal-and-no-format-arguments.patch
 
gpm-1.20.7/debian/patches/092_fix-format-not-a-string-literal-and-no-format-arguments.patch
--- 
gpm-1.20.7.orig/debian/patches/092_fix-format-not-a-string-literal-and-no-format-arguments.patch
    2017-08-19 05:40:43.000000000 -0400
+++ 
gpm-1.20.7/debian/patches/092_fix-format-not-a-string-literal-and-no-format-arguments.patch
 2018-01-29 18:27:43.615443462 -0500
@@ -3,12 +3,12 @@
 
 --- a/src/lib/report-lib.c
 +++ b/src/lib/report-lib.c
-@@ -47,7 +47,7 @@
+@@ -47,7 +47,7 @@ void gpm_report(int line, char *file, in
                             log_level = LOG_CRIT; break;
     }
  #ifdef HAVE_VSYSLOG
 -   syslog(log_level, string);
-+   syslog(log_level, '%s', string);
++   syslog(log_level, "%s", string);
     vsyslog(log_level, text, ap);
  #else
     fprintf(stderr,"%s[%s(%d)]:\n",string,file,line);

Reply via email to