Re: BUG: segfault on systemctl auditd stop

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Wednesday, August 11, 2021 1:32:37 PM EDT Brown, Thomas wrote:
> The following auditd segfault occurs during shutdown but can be
> reproduced using the service stop command...

Which version of the audit package is this? There was a known shutdown 
problem on 3.0.3 that was fixed in 3.0.4.


> service auditd stop 2root@aug-test:/# 2021 Aug 4 12:47:22 aug-test
> Process 687 (auditd) of user 0 dumped core. 34Stack trace of thread 687:
> 5#0 0x00007f18bb1657e4 fclose (libc.so.6) 6#1 0x000055b88ab50ec0 n/a
> (auditd) 7#2 0x000055b88ab4e421 n/a (auditd) 8#3 0x000055b88ab4d9a7 n/a
> (auditd) 9#4 0x00007f18bb11a09b __libc_start_main (libc.so.6) 10#5
> 0x000055b88ab4df4a n/a (auditd)

This says auditd dumped core on a fclose. My guess would be that it's in 
auditd-event.c.
 
> Setting AUDIT_WRITE_LOGS to "yes" corrects this problem however we have
> a requirement to disable these logs (i.e. AUDIT_WRITE_LOGS needs to be
> set to "no")
> 
> After perusing the source I suspect that one of these unconditional
> fclose()s is causing the problem...

Thanks for looking. But the patch applies to standalone utilities rather than 
the audit daemon.

<snip>

> However I have not tested these changes.  Even though this is a benign
> problem I believe that it warrants a correction. Please open a ticket
> and respond with the ticket id so that we can track this problem/solution.

I am about to release audit-3.0.5 today. I think I see a couple places where 
this could use an if (log_file). It would be helpful to know which version of 
the audit package that you are using.

Thanks,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit