From: Steve Grubb <sgrubb@redhat.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com
Subject: Re: Crash when loading the rules
Date: Wed, 06 Jul 2016 14:13:00 -0400 [thread overview]
Message-ID: <22585411.CZ1HLvxr1I@x2> (raw)
In-Reply-To: <4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
Hello,
I revceived the strace file which made the email too big for the mail list.
I'm including the important part below.
On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
> Le 06/07/16 à 18:23, Steve Grubb a écrit :
> >So, I'm note sure why you are getting a
> > core dump. If this is reproducible it might be good to get an strace to see
> > what is being handed to writev. Or maybe try it from valgrind to see if
> > that gives additional information.
>
> Valgrind is a bit broken in debian unstable due to the compressed debug
> symbols.
>
> I've attached here the output of strace
[pid 1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259): arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\" subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364
[pid 1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280, f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
This shows that it made it to write_to_log and then called check_log_file_size
[pid 1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x90430527} ---
[pid 1602] +++ killed by SIGSEGV (core dumped) +++
+++ killed by SIGSEGV (core dumped) +++
The traceback is not accurate. We are somewhere else in the code. I am going
to bet that its crashing on trying to ack because in the netlink path its not
getting set to NULL. I updated svn with a 1 line fix. Can you either pull the
new code from svn and try it or add this patch to your build?
https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c
Let me know if this does it.
Thanks,
-Steve
next prev parent reply other threads:[~2016-07-06 18:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 14:49 Crash when loading the rules Laurent Bigonville
2016-07-06 15:23 ` Steve Grubb
2016-07-06 15:26 ` Laurent Bigonville
2016-07-06 16:23 ` Steve Grubb
[not found] ` <4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
2016-07-06 18:13 ` Steve Grubb [this message]
2016-07-07 9:35 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22585411.CZ1HLvxr1I@x2 \
--to=sgrubb@redhat.com \
--cc=bigon@debian.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.