294310 – syslogd crashes on startup parsing configfile

Bug 294310 - syslogd crashes on startup parsing configfile

Summary: syslogd crashes on startup parsing configfile

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	15.0-RELEASE
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-04-07 18:21 UTC by Dirk Meyer
Modified:	2026-04-07 18:21 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Meyer freebsd_committer

2026-04-07 18:21:17 UTC

How to Reproduce:

Environment:
15.0-RELEASE-p5 host
15.0-RELEASE-p5 jail
Clean jail

create an new file:
/etc/syslog.d/named.conf:
named.info\t\t\t\t\t/var/log/named

/etc/rc.d/syslogd restart

watch "/var/log/all.log" on the host or check with "dmesg"
kernel: pid 17810 (syslogd), jid 11, uid 0: exited on signal 11 (core dumped)


Diagnostics 1:

truss -f -o syslogd.truss /usr/sbin/syslogd -ss

26846: open("/etc/syslog.d/named.conf",O_RDONLY,0666) = 13 (0xd)
26846: fstat(13,{ mode=-rw-r--r-- ,inode=104202,size=105,blksize=4096 }) = 0 (0x0)
26846: read(13,"# 2026-04-07\n# (syslogd), jid 1"...,4096) = 105 (0x69)
26846: SIGNAL 11 (SIGSEGV) code=SEGV_MAPERR trapno=12 addr=0x0

Diagnostics 2:

/usr/sbin/syslogd -ss -d -v -F
[...]
reading /etc/syslog.d/named.conf
cfline("named.info                                      /var/log/named", f, "*", "*", "*")
Failed to xfer configuration nvlist: Socket is not connected
logmsg: pri 53, flags 0, from bamd14, msg Failed to xfer configuration nvlist: Socket is not connected
Logging to CONSOLE /dev/console

Diagnostics 3:

lldb /usr/sbin/syslogd --core syslogd.core
(lldb) target create "/usr/sbin/syslogd" --core "syslogd.core"
Core file '/syslogd.core' (x86_64) was loaded.
(lldb) thread backtrace all
* thread #1, name = 'syslogd', stop reason = signal SIGSEGV
  * frame #0: 0x00003061815358b3 syslogd`cfline(nvl=0x00005206da609140, line="named.info\t\t\t\t\t/var/log/named", prog="*", host="*", pfilter="*") at syslogd.c:3279:17
    frame #1: 0x0000306181535477 syslogd`parseconfigfile(cf=0x00003069a5ae41a8, allow_includes=false, nvl_conf=0x00005206da609140) at syslogd.c:2448:3
    frame #2: 0x000030618153561a syslogd`parseconfigfile(cf=0x00003069a5ae4070, allow_includes=true, nvl_conf=0x00005206da609140) at syslogd.c:2378:5
    frame #3: 0x0000306181534f0e syslogd`readconfigfile(path="/etc/syslog.conf") at syslogd.c:2468:14
    frame #4: 0x000030618153accd syslogd`casper_readconfigfile(nvlin=0x00005206da6090c0, nvlout=0x00005206da609100) at syslogd_cap_config.c:292:13
    frame #5: 0x00003069a45b6ffb libcasper.so.1`service_message(service=0x00005206da609040, sconn=0x00005206da662000) at service.c:319:11
    frame #6: 0x00003069a45b75e5 libcasper.so.1`service_start(service=0x00005206da609040, sock=14, procfd=10) at service.c:461:5
    frame #7: 0x00003069a45b64d7 libcasper.so.1`service_execute(chanfd=14) at libcasper_service.c:159:2
    frame #8: 0x00003069a45b7a68 libcasper.so.1`zygote_main(sockp=0x00003069a17809bc) at zygote.c:162:4
    frame #9: 0x00003069a45b78b9 libcasper.so.1`zygote_init at zygote.c:209:3
    frame #10: 0x00003069a45b650b libcasper.so.1`casper_main_loop(fd=<unavailable>) at libcasper_service.c:230:6
    frame #11: 0x00003069a45b59ad libcasper.so.1`cap_init at libcasper.c:102:3
    frame #12: 0x00003061815337ef syslogd`init [inlined] syslogd_cap_enter at syslogd.c:2566:15
    frame #13: 0x00003061815337ea syslogd`init(reload=false) at syslogd.c:2648:3
    frame #14: 0x0000306181532adf syslogd`main(argc=<unavailable>, argv=0x00003069a17831d8) at syslogd.c:780:2
    frame #15: 0x00003069a597037f libc.so.7`__libc_start1(argc=2, argv=0x00003069a17831d8, env=0x00003069a17831f0, cleanup=<unavailable>, mainX=(syslogd`main at syslogd.c:512)) at libc_start1.c:180:7
    frame #16: 0x0000306181531ce1 syslogd`_start at crt1_s.S:80
(lldb) p line
(const char *) 0x00003069a177e200 "named.info\t\t\t\t\t/var/log/named"
(lldb) p host
(const char *) 0x00003069a177e100 "*"
(lldb) p prog
(const char *) 0x00003069a177d900 "*"
(lldb) p p
(const char *) 0x0000000000000000


Source:
vim /usr/src/usr.sbin/syslogd/syslogd.c
function cfline()
3277 
3278         /* scan through the list of selectors */
3279         for (p = line; *p != '\0' && *p != '\t' && *p != ' ';)
3280                 p = parse_selector(p, &f);
3281 

function parse_selector()
2953                 pri = decode(buf, prioritynames);
2954                 if (pri < 0) {
2955                         dprintf("unknown priority name \"%s\"", buf);
2956                         return (NULL);
2957                 }

2976                         i = decode(buf, facilitynames);
2977                         if (i < 0) {
2978                                 dprintf("unknown facility name \"%s\"", buf);
2979                                 return (NULL);
2980                         }


I assume parse_selector() is returning "NULL",
causing *p in the loop to crash.

Caveat:
But I don't see the dprintf() lines in the output,
nor do I see the dprintf() output with truss.

The crash is reproduceable in the FreeBSD base system as well.