diff --git a/backport-fix-hashtable-realloc-memset-range.patch b/backport-fix-hashtable-realloc-memset-range.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8b4c7488c34d2786d38a07ad503522b109ca13f --- /dev/null +++ b/backport-fix-hashtable-realloc-memset-range.patch @@ -0,0 +1,28 @@ +From 3e062839760767c966bc01fba542974b7b28ad9c Mon Sep 17 00:00:00 2001 +From: Andre Lorbach +Date: Tue, 10 Jun 2025 09:50:40 +0200 +Subject: [PATCH 4/5] fix hashtable realloc memset range + +Reference: https://github.com/rsyslog/rsyslog/commit/209213cadcf36515cfbf0fdf7eecae5f33f00a4c +Conflict: NA +--- + runtime/hashtable.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/runtime/hashtable.c b/runtime/hashtable.c +index 4673a50..b5a8d69 100644 +--- a/runtime/hashtable.c ++++ b/runtime/hashtable.c +@@ -129,7 +129,8 @@ hashtable_expand(struct hashtable *h) + realloc(h->table, newsize * sizeof(struct entry *)); + if (NULL == newtable) { (h->primeindex)--; return 0; } + h->table = newtable; +- memset(newtable[h->tablelength], 0, newsize - h->tablelength); ++ memset(&newtable[h->tablelength], 0, ++ (newsize - h->tablelength) * sizeof(struct entry *)); + for (i = 0; i < h->tablelength; i++) { + for (pE = &(newtable[i]), e = *pE; e != NULL; e = *pE) { + idx = indexFor(newsize,e->h); +-- +2.43.0 + \ No newline at end of file diff --git a/backport-fix-off-by-one-buffer-overflow.patch b/backport-fix-off-by-one-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2e1bcc969c0b4c6772330026d6918cc82308faf --- /dev/null +++ b/backport-fix-off-by-one-buffer-overflow.patch @@ -0,0 +1,29 @@ +From 0bdb3517a2866c857e688af1bce4bd53eaf50df7 Mon Sep 17 00:00:00 2001 +From: Maks Maltsev +Date: Fri, 20 Jun 2025 16:11:19 +0300 +Subject: [PATCH 5/5] fix off-by-one buffer overflow + + One byte for `\0` should be left in case the message is `sizeof(msgBuf)` bytes or longer. + +Reference: https://github.com/rsyslog/rsyslog/commit/9b6c39d934398aaa3a619056b1a9181be5adecfe +Conflict: NA +--- + tools/rsyslogd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index 2908cbd..4a46e32 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -558,7 +558,7 @@ forkRsyslog(void) + exit(1); + } + +- int nRead = read(pipefd[0], msgBuf, sizeof(msgBuf)); ++ int nRead = read(pipefd[0], msgBuf, sizeof(msgBuf)-1); + if(nRead > 0) { + msgBuf[nRead] = '\0'; + } else { +-- +2.43.0 + \ No newline at end of file diff --git a/backport-fix-stringop-overread-warning-in-omusrmsg.patch b/backport-fix-stringop-overread-warning-in-omusrmsg.patch new file mode 100644 index 0000000000000000000000000000000000000000..434c1db421cd28030f12c05add7217f515310af5 --- /dev/null +++ b/backport-fix-stringop-overread-warning-in-omusrmsg.patch @@ -0,0 +1,51 @@ +From 58582266424e99c72b468b5d85b6e98edf44d083 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Fri, 6 Jun 2025 17:54:36 +0200 +Subject: [PATCH 3/5] fix stringop-overread warning in omusrmsg + + AI-Agent: Codex 2025-06 + +Reference: https://github.com/rsyslog/rsyslog/commit/bf200a5227c2f06a2a93eec9a9d32d376d3356a2 +Conflict:NA +--- + tools/omusrmsg.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/tools/omusrmsg.c b/tools/omusrmsg.c +index aaa36d9..c9c46fd 100644 +--- a/tools/omusrmsg.c ++++ b/tools/omusrmsg.c +@@ -208,16 +208,20 @@ void endutent(void) + + static void sendwallmsg(const char *tty, uchar* pMsg) + { +- uchar szErr[512]; +- int errnoSave; +- char p[sizeof(_PATH_DEV) + UNAMESZ]; +- int ttyf; +- struct stat statb; +- int wrRet; +- +- /* compute the device name */ +- strcpy(p, _PATH_DEV); +- strncat(p, tty, UNAMESZ); ++ uchar szErr[512]; ++ int errnoSave; ++ char p[sizeof(_PATH_DEV) + UT_LINESIZE]; ++ int ttyf; ++ struct stat statb; ++ int wrRet; ++ ++ /* compute the device name */ ++ strcpy(p, _PATH_DEV); ++ size_t base_len = strlen(p); ++ size_t avail = sizeof(p) - base_len - 1; ++ size_t ttylen = strnlen(tty, avail); ++ memcpy(p + base_len, tty, ttylen); ++ p[base_len + ttylen] = '\0'; + + /* we must be careful when writing to the terminal. A terminal may block + * (for example, a user has pressed -s). In that case, we can not +-- +2.43.0 + \ No newline at end of file diff --git a/backport-imjournal-fix-double-sd_journal_close-during-thread.patch b/backport-imjournal-fix-double-sd_journal_close-during-thread.patch new file mode 100644 index 0000000000000000000000000000000000000000..28baca58f04f714ff4c36b4f9338b7c14a71a7f7 --- /dev/null +++ b/backport-imjournal-fix-double-sd_journal_close-during-thread.patch @@ -0,0 +1,49 @@ +From 4e8a5b1191b8c4fbfc82b0cfb3219738fbc13d80 Mon Sep 17 00:00:00 2001 +From: xietangxin +Date: Sat, 16 Aug 2025 16:29:25 +0800 +Subject: [PATCH] imjournal: fix double sd_journal_close() during thread + cancellation + +When the main thread cancel imjournal thread, the thread exits without +setting sd_journal to NULL because sd_journal_close() contain cancel point. +This leads to a double free scenario where: + +1. The thread cancel occurs during sd_journal_close() +2. The main thread then calls imjournal's afterrun function +3. sd_journal_close() is called again on the already-freed sd_journal + +Reference:https://github.com/rsyslog/rsyslog/commit/dc561451d77302f64f2f96cd9f7a3ad0b01b9329 +Conflict:NA +--- + plugins/imjournal/imjournal.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/plugins/imjournal/imjournal.c b/plugins/imjournal/imjournal.c +index ade29a5..22b381a 100644 +--- a/plugins/imjournal/imjournal.c ++++ b/plugins/imjournal/imjournal.c +@@ -226,11 +226,18 @@ static rsRetVal openJournal(struct journalContext_s *journalContext) { + + /* trySave shoulod only be true if there is no journald error preceeding this call */ + static void closeJournal(struct journalContext_s *journalContext) { +- if (!journalContext->j) { ++ sd_journal *j_to_close = journalContext->j; ++ ++ if (!j_to_close) { + LogMsg(0, RS_RET_OK_WARN, LOG_WARNING, "imjournal: closing NULL journal.\n"); ++ } else { ++ journalContext->j = NULL; ++ ++ /* sd_journal_close() is a cancellation point. If we are cancelled ++ * here, journalContext->j is already NULL, preventing double-free. ++ */ ++ sd_journal_close(j_to_close); + } +- sd_journal_close(journalContext->j); +- journalContext->j = NULL; /* setting to NULL here as journald API will not do that for us... */ + } + + static int journalGetData(struct journalContext_s *journalContext, const char *field, const void **data, size_t *length) +-- +2.33.0 + diff --git a/backport-imuxsock-Add-statistics-counter-for-discarded-messag.patch b/backport-imuxsock-Add-statistics-counter-for-discarded-messag.patch new file mode 100644 index 0000000000000000000000000000000000000000..85500c271c54a2541709d886c6d9eaaecb98318a --- /dev/null +++ b/backport-imuxsock-Add-statistics-counter-for-discarded-messag.patch @@ -0,0 +1,83 @@ +From bd04ad71bf9eb60eb16c70db0fe3b71ed70dd340 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Mon, 17 Mar 2025 15:18:57 +0100 +Subject: [PATCH 1/5] imuxsock: Add statistics counter for discarded messages + + This patch introduces a counter to track the number of discarded messages. + Additionally, it fixes a bug where the submitted message count was + incremented even when the message was discarded due to exceeding the allowed + message rate within a given interval. + +Reference: https://github.com/rsyslog/rsyslog/commit/fa92d4b54c461fe95a5e0f68978c17e9faa36bf5 +Conflict:NA +--- + plugins/imuxsock/imuxsock.c | 6 ++++-- + tests/imuxsock_impstats.sh | 37 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 2 deletions(-) + create mode 100755 tests/imuxsock_impstats.sh + +diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c +index 1ae550e..2268595 100644 +--- a/plugins/imuxsock/imuxsock.c ++++ b/plugins/imuxsock/imuxsock.c +@@ -1030,10 +1030,12 @@ SubmitMsg(uchar *pRcv, int lenRcv, lstn_t *pLstn, struct ucred *cred, struct tim + MsgSetRcvFrom(pMsg, pLstn->hostName == NULL ? glbl.GetLocalHostNameProp() : pLstn->hostName); + CHKiRet(MsgSetRcvFromIP(pMsg, pLocalHostIP)); + MsgSetRuleset(pMsg, pLstn->pRuleset); +- ratelimitAddMsg(ratelimiter, NULL, pMsg); ++ CHKiRet(ratelimitAddMsg(ratelimiter, NULL, pMsg)); + STATSCOUNTER_INC(ctrSubmit, mutCtrSubmit); + finalize_it: +- if(iRet != RS_RET_OK) { ++ if (iRet == RS_RET_DISCARDMSG) { ++ STATSCOUNTER_INC(ctrLostRatelimit, mutCtrLostRatelimit); ++ } else if(iRet != RS_RET_OK) { + if(pMsg != NULL) + msgDestruct(&pMsg); + } +diff --git a/tests/imuxsock_impstats.sh b/tests/imuxsock_impstats.sh +new file mode 100755 +index 0000000..db61071 +--- /dev/null ++++ b/tests/imuxsock_impstats.sh +@@ -0,0 +1,37 @@ ++#!/bin/bash ++# This test tests impstats omfwd counters in TCP mode ++# added 2025-03-17 by Croppi. Released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++generate_conf ++export STATSFILE="$RSYSLOG_DYNNAME.stats" ++add_conf ' ++module(load="../plugins/impstats/.libs/impstats" log.file="'$STATSFILE'" ++ interval="1" ruleset="stats" log.syslog="off") ++template(name="outfmt" type="string" string="%msg:F,58:2%\n") ++ ++ruleset(name="stats") { ++ stop # nothing to do here ++} ++ ++module(load="../plugins/imuxsock/.libs/imuxsock" sysSock.use="off") ++input(type="imuxsock" Socket="'$RSYSLOG_DYNNAME'-testbench_socket" RateLimit.Interval="10" RateLimit.Burst="750" ++) ++ ++if $msg contains "msgnum:" then { ++ :msg, contains, "msgnum:" action(type="omfile" template="outfmt" ++ file=`echo $RSYSLOG_OUT_LOG`) ++} ++' ++startup ++# 1000 messages should be enough ++seq 1 1000 | sed 's/^/Test message /' | logger -d -u $RSYSLOG_DYNNAME-testbench_socket ++ ++shutdown_when_empty ++wait_shutdown ++ ++cat -n $STATSFILE ++ ++# We submitted 1000 messages within 10 seconds, so we should have 750 messages in the queue and 250 discarded ++content_check --regex "imuxsock: origin=imuxsock submitted=750 ratelimit.discarded=250 ratelimit.numratelimiters=1" "$STATSFILE" ++ ++exit_test +-- +2.43.0 + \ No newline at end of file diff --git a/backport-omjournal-Fix-priority-value.patch b/backport-omjournal-Fix-priority-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..b56ac15bf4b2dcbab39699db084cb1871867f84c --- /dev/null +++ b/backport-omjournal-Fix-priority-value.patch @@ -0,0 +1,27 @@ +From dd52766a16151a3c7dcf7fe029592a8ba44d7bb0 Mon Sep 17 00:00:00 2001 +From: anis +Date: Sat, 22 Mar 2025 23:40:53 +0100 +Subject: [PATCH 2/5] omjournal: Fix priority value. + +Reference: https://github.com/rsyslog/rsyslog/commit/bf001e30b30fded6718f8a789253d31e6e274db9 +Conflict:NA +--- + plugins/omjournal/omjournal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugins/omjournal/omjournal.c b/plugins/omjournal/omjournal.c +index 7668db9..da3c224 100644 +--- a/plugins/omjournal/omjournal.c ++++ b/plugins/omjournal/omjournal.c +@@ -263,7 +263,7 @@ send_non_template_message(smsg_t *const __restrict__ pMsg) + * is some real user interest. We can always add later... + */ + sd_journal_send("MESSAGE=%s", getMSG(pMsg), +- "PRIORITY=%d", sev, ++ "PRIORITY=%d", (pMsg->iFacility * 8) | sev, + "SYSLOG_FACILITY=%d", pMsg->iFacility, + "SYSLOG_IDENTIFIER=%s", tag, + NULL); +-- +2.43.0 + \ No newline at end of file diff --git a/backport-omusrmsg-bugfix-potential-double-free-which-can-cause.patch b/backport-omusrmsg-bugfix-potential-double-free-which-can-cause.patch new file mode 100644 index 0000000000000000000000000000000000000000..f9935031df8d4d5dae5425120083ba08518f3a7a --- /dev/null +++ b/backport-omusrmsg-bugfix-potential-double-free-which-can-cause.patch @@ -0,0 +1,69 @@ +From 446501a9a57d1d2f0510ee5798b51dd278fb6762 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Thu, 14 Dec 2023 12:57:00 +0100 +Subject: [PATCH 1/2] omusrmsg bugfix: potential double free, which can cause + segfault + +omusrmsg frees a string which points to OS/system library memory. When +the os/libs clean up, it frees the memory as well. This results in a +double free. This bug interestingly seems to go unnoticed in many cases. +But it can cause a segfault or hard-to-trace memory corruptions which +could lead to other problems later on. The outcome of this bug most +probably depdns on os/library versions. + +closes https://github.com/rsyslog/rsyslog/issues/5294 + +Reference:https://github.com/rsyslog/rsyslog/commit/c7c16b935c4b3fb740eacbd5dbb043f5cd457acd +Conflict:NA +--- + tools/omusrmsg.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/tools/omusrmsg.c b/tools/omusrmsg.c +index aaa36d9..479db5b 100644 +--- a/tools/omusrmsg.c ++++ b/tools/omusrmsg.c +@@ -272,14 +272,15 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData) + + for (j = 0; j < sessions; j++) { + uchar szErr[512]; +- char *user = NULL, *tty; ++ char *tty; ++ const char *user = NULL; + uid_t uid; + struct passwd *pws; + + sdRet = sd_session_get_uid(sessions_list[j], &uid); + if (sdRet >= 0) { + pws = getpwuid(uid); +- user = pws->pw_name; ++ user = pws->pw_name; /* DO NOT FREE, OS/LIB internal memory! */ + + if (user == NULL) { + dbgprintf("failed to get username for userid '%d'\n", uid); +@@ -303,7 +304,6 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData) + break; + } + if(i == MAXUNAMES) { /* user not found? */ +- free(user); + free(sessions_list[j]); + continue; /* on to next user! */ + } +@@ -313,14 +313,12 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData) + rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr)); + dbgprintf("get tty for session '%s' failed with [%d]:%s\n", + sessions_list[j], -sdRet, szErr); +- free(user); + free(sessions_list[j]); + continue; /* try next session */ + } + + sendwallmsg(tty, pMsg); + +- free(user); + free(tty); + free(sessions_list[j]); + } +-- +2.33.0 + diff --git a/backport-omusrmsg-bugfix-potential-null-pointer-dereference-c.patch b/backport-omusrmsg-bugfix-potential-null-pointer-dereference-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..316b92dbe1ec6f7a1d768e35f61a5f6fb4b8a568 --- /dev/null +++ b/backport-omusrmsg-bugfix-potential-null-pointer-dereference-c.patch @@ -0,0 +1,70 @@ +From c82275463ba7120c90b4d7b09ee620d81395c084 Mon Sep 17 00:00:00 2001 +From: Qiumiao Zhang +Date: Tue, 23 Sep 2025 20:06:23 +0800 +Subject: [PATCH] omusrmsg bugfix: potential null pointer dereference causes + segfault + +If there is no user in the data base with user ID uid, getpwuid() returns a null +pointer value. Therefore, it is necessary to check the return value of the function +to prevent segfault caused by dereference of null pointer. + +In addition: +[1] Free the memory allocated for the current session identifier sessions_list[j] +to prevent a memory leak. + +[2] Use LogError instead of dbgprintf to display error reports to the user. + +Reference:https://github.com/rsyslog/rsyslog/commit/dc8b4ce70d9dd0bfc6d31460d0fb3940ce8c1b98 +Conflict:NA +--- + tools/omusrmsg.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/tools/omusrmsg.c b/tools/omusrmsg.c +index 479db5b..23d436b 100644 +--- a/tools/omusrmsg.c ++++ b/tools/omusrmsg.c +@@ -280,17 +280,26 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData) + sdRet = sd_session_get_uid(sessions_list[j], &uid); + if (sdRet >= 0) { + pws = getpwuid(uid); ++ ++ if (pws == NULL) { ++ LogError(0, NO_ERRCODE, "failed to get passwd for userid '%d'\n", uid); ++ free(sessions_list[j]); ++ continue; ++ } ++ + user = pws->pw_name; /* DO NOT FREE, OS/LIB internal memory! */ + + if (user == NULL) { +- dbgprintf("failed to get username for userid '%d'\n", uid); ++ LogError(0, NO_ERRCODE, "failed to get username for userid '%d'\n", uid); ++ free(sessions_list[j]); + continue; + } + } else { + /* we record the state to the debug log */ + rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr)); +- dbgprintf("get userid for session '%s' failed with [%d]:%s\n", +- sessions_list[j], -sdRet, szErr); ++ LogError(0, NO_ERRCODE, "get userid for session '%s' failed with [%d]:%s\n", sessions_list[j], -sdRet, ++ szErr); ++ free(sessions_list[j]); + continue; /* try next session */ + } + /* should we send the message to this user? */ +@@ -311,8 +320,8 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData) + if ((sdRet = sd_session_get_tty(sessions_list[j], &tty)) < 0) { + /* we record the state to the debug log */ + rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr)); +- dbgprintf("get tty for session '%s' failed with [%d]:%s\n", +- sessions_list[j], -sdRet, szErr); ++ LogError(0, NO_ERRCODE, "get tty for session '%s' failed with [%d]:%s\n", sessions_list[j], -sdRet, ++ szErr); + free(sessions_list[j]); + continue; /* try next session */ + } +-- +2.33.0 + \ No newline at end of file diff --git a/rsyslog.spec b/rsyslog.spec index 69965d636998bdc032e491c8293393a37a682ddb..8209c22c6785c212231859d4ba41fd3dfa25b230 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,7 +7,7 @@ Name: rsyslog Version: 8.2312.0 -Release: 9 +Release: 10 Summary: The rocket-fast system for log processing License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ @@ -54,6 +54,15 @@ Patch6018: backport-0007-core-fix-potential-misadressing-in-sigmask.patch Patch6019: backport-0008-covscan-remove-defect-type-of-RESOURCE_LEAK.patch Patch6020: backport-0009-Fix-a-buffer-overflow-when-the-argument-to-replace-i.patch +Patch6021: backport-imuxsock-Add-statistics-counter-for-discarded-messag.patch +Patch6022: backport-omjournal-Fix-priority-value.patch +Patch6023: backport-fix-stringop-overread-warning-in-omusrmsg.patch +Patch6024: backport-fix-hashtable-realloc-memset-range.patch +Patch6025: backport-fix-off-by-one-buffer-overflow.patch +Patch6026: backport-imjournal-fix-double-sd_journal_close-during-thread.patch +Patch6027: backport-omusrmsg-bugfix-potential-double-free-which-can-cause.patch +Patch6028: backport-omusrmsg-bugfix-potential-null-pointer-dereference-c.patch + BuildRequires: gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool BuildRequires: libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel BuildRequires: libfastjson-devel >= 0.99.8 libestr-devel >= 0.1.9 python-sphinx @@ -529,6 +538,19 @@ done %{_mandir}/man1/rscryutil.1.gz %changelog +* Sat Oct 25 2025 zhangqiumiao - 8.2312.0-10 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:omusrmsg bugfix: potential null pointer dereference causes segfault + omusrmsg bugfix: potential double free, which can cause segfault + imjournal: fix double sd_journal_close() during thread cancellation + imuxsock: Add statistics counter for discarded messages + omjournal: Fix priority value + fix stringop-overread warning in omusrmsg + fix hashtable realloc memset range + fix off-by-one buffer overflow + * Mon Aug 4 2025 zhangqiumiao - 8.2312.0-9 - Type:bugfix - ID:NA