From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Crash when loading the rules Date: Wed, 06 Jul 2016 12:23:23 -0400 Message-ID: <2000467.RyrGO56dad@x2> References: <1835912.PABrHuQGvY@x2> <247821ed-2bec-925a-cf1b-f9f4b60fb2ba@debian.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <247821ed-2bec-925a-cf1b-f9f4b60fb2ba@debian.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Laurent Bigonville Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, July 6, 2016 5:26:44 PM EDT Laurent Bigonville wrote: Hello, > Le 06/07/16 =E0 17:23, Steve Grubb a =E9crit : > > On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote: > >> With 2.6.3, when loading the rules, it's crashing and I get the > >> following backtrace: > >> = > >> #0 0x00007ffff687e99d in writev () at > >> ../sysdeps/unix/syscall-template.S:84 #1 0x00005555555610ab in > >> dispatch_event (rep=3D, is_err=3D0) at > >> ../../../src/auditd-dispatch.c:189 > >> #2 0x000055555555a700 in distribute_event (e=3D0x555555779d80) at > >> ../../../src/auditd.c:216 > >> #3 0x000055555555aac8 in netlink_handler (loop=3D, > >> io=3D, revents=3D) at ../../../src/audit= d.c:500 > > > By any chance does syslog show that the dispatcher exited due to no act= ive > > plugins? > = > This is what I see in syslog: > = > Jul 6 17:25:15 valinor systemd[1]: Starting Security Auditing Service... > Jul 6 17:25:15 valinor auditd[604]: Started dispatcher: /sbin/audispd > pid: 608 > Jul 6 17:25:15 valinor audispd: priority_boost_parser called with: 4 > Jul 6 17:25:15 valinor audispd: max_restarts_parser called with: 10 > Jul 6 17:25:15 valinor audispd: No plugins found, exiting OK. When this happens we should get a SIGCHLD which causes the handler to m= ark = the writev pipe descriptor as -1. This is checked for on the way to the = writev. So, maybe there is a race where the descriptor was ok at entry but = the = child process was gone at writev time. This should have resulted in a SIGPI= PE = when does not core dump but does terminate auditd. This can and should be = fixed. However, you are getting a core dump. The only thing I can think of is if = vec[1].iov_base was assigned an invalid address. I tested this and I get = writev(6, [{"\1\0\0\0\20\0\0\0j\4\0\0\377\0\0\0", 16}, {NULL, 255}], 2) =3D= -1 = EFAULT (Bad address) which also does not core dump. So, I'm note sure why you are getting a core = dump. If this is reproducible it might be good to get an strace to see what= is = being handed to writev. Or maybe try it from valgrind to see if that gives = additional information. -Steve > Jul 6 17:25:16 valinor kernel: [20575.773688] audit: netlink_unicast > sending to audit_pid=3D604 returned error: -111 > Jul 6 17:25:16 valinor systemd[1]: auditd.service: Main process exited, > code=3Ddumped, status=3D11/SEGV > Jul 6 17:25:16 valinor systemd[1]: auditd.service: Unit entered failed > state. > Jul 6 17:25:16 valinor systemd[1]: auditd.service: Failed with result > 'core-dump'.