From: Steve Grubb <sgrubb@redhat.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com
Subject: Re: Crash when loading the rules
Date: Wed, 06 Jul 2016 14:13:00 -0400 [thread overview]
Message-ID: <22585411.CZ1HLvxr1I@x2> (raw)
In-Reply-To: <4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
Hello,
I revceived the strace file which made the email too big for the mail list.
I'm including the important part below.
On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
> Le 06/07/16 à 18:23, Steve Grubb a écrit :
> >So, I'm note sure why you are getting a
> > core dump. If this is reproducible it might be good to get an strace to see
> > what is being handed to writev. Or maybe try it from valgrind to see if
> > that gives additional information.
>
> Valgrind is a bit broken in debian unstable due to the compressed debug
> symbols.
>
> I've attached here the output of strace
[pid 1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259): arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\" subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364
[pid 1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280, f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
This shows that it made it to write_to_log and then called check_log_file_size
[pid 1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x90430527} ---
[pid 1602] +++ killed by SIGSEGV (core dumped) +++
+++ killed by SIGSEGV (core dumped) +++
The traceback is not accurate. We are somewhere else in the code. I am going
to bet that its crashing on trying to ack because in the netlink path its not
getting set to NULL. I updated svn with a 1 line fix. Can you either pull the
new code from svn and try it or add this patch to your build?
https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c
Let me know if this does it.
Thanks,
-Steve
next prev parent reply other threads:[~2016-07-06 18:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 14:49 Crash when loading the rules Laurent Bigonville
2016-07-06 15:23 ` Steve Grubb
2016-07-06 15:26 ` Laurent Bigonville
2016-07-06 16:23 ` Steve Grubb
[not found] ` <4b9c1eed-c988-9ee8-3326-2d6957be3e6d@debian.org>
2016-07-06 18:13 ` Steve Grubb [this message]
2016-07-07 9:35 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22585411.CZ1HLvxr1I@x2 \
--to=sgrubb@redhat.com \
--cc=bigon@debian.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox