From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Crash when loading the rules
Date: Wed, 06 Jul 2016 14:13:00 -0400
Message-ID: <22585411.CZ1HLvxr1I@x2>
References: <bcca63cd-0435-7484-b597-48e083d7446e@debian.org>
	<2000467.RyrGO56dad@x2>
	<4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I revceived the strace file which made the email too big for the mail list.
I'm including the important part below.

On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
> Le 06/07/16 =E0 18:23, Steve Grubb a =E9crit :
> >So, I'm note sure why you are getting a
> > core dump. If this is reproducible it might be good to get an strace to=
 see
> > what is being handed to writev. Or maybe try it from valgrind to see if
> > that gives additional information.
> =

> Valgrind is a bit broken in debian unstable due to the compressed debug
> symbols.
> =

> I've attached here the output of strace


[pid  1595] write(4</var/log/audit/audit.log>, "type=3DSYSCALL msg=3Daudit(=
1467798264.913:1259): arch=3Dc000003e syscall=3D47 success=3Dyes exit=3D267=
 a0=3D6 a1=3D7ffe30a5e630 a2=3D40000040 a3=3Dffffffff items=3D0 ppid=3D1 pi=
d=3D1108 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=
=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D\"systemd-jour=
nal\" exe=3D\"/lib/systemd/systemd-journald\" subj=3Dsystem_u:system_r:sysl=
ogd_t:s0 key=3D(null)\n", 364) =3D 364
[pid  1595] fstatfs(4</var/log/audit/audit.log>, {f_type=3DEXT2_SUPER_MAGIC=
, f_bsize=3D4096, f_blocks=3D3838052, f_bfree=3D1172381, f_bavail=3D987245,=
 f_files=3D977280, f_ffree=3D703441, f_fsid=3D{9930339, 726475040}, f_namel=
en=3D255, f_frsize=3D4096, f_flags=3DST_VALID|ST_RELATIME}) =3D 0

This shows that it made it to write_to_log and then called check_log_file_s=
ize

[pid  1595] --- SIGSEGV {si_signo=3DSIGSEGV, si_code=3DSEGV_MAPERR, si_addr=
=3D0x90430527} ---
[pid  1602] +++ killed by SIGSEGV (core dumped) +++
+++ killed by SIGSEGV (core dumped) +++

The traceback is not accurate. We are somewhere else in the code. I am going
to bet that its crashing on trying to ack because in the netlink path its n=
ot
getting set to NULL. I updated svn with a 1 line fix. Can you either pull t=
he
new code from svn and try it or add this patch to your build?

https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c

Let me know if this does it.

Thanks,
-Steve