* BUG: segfault on systemctl auditd stop
@ 2021-08-11 17:32 Brown, Thomas
2021-08-11 19:04 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Brown, Thomas @ 2021-08-11 17:32 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3765 bytes --]
Hello,
The following auditd segfault occurs during shutdown but can be
reproduced using the service stop command...
service auditd stop 2root@aug-test:/# 2021 Aug 4 12:47:22 aug-test
Process 687 (auditd) of user 0 dumped core. 34Stack trace of thread 687:
5#0 0x00007f18bb1657e4 fclose (libc.so.6) 6#1 0x000055b88ab50ec0 n/a
(auditd) 7#2 0x000055b88ab4e421 n/a (auditd) 8#3 0x000055b88ab4d9a7 n/a
(auditd) 9#4 0x00007f18bb11a09b __libc_start_main (libc.so.6) 10#5
0x000055b88ab4df4a n/a (auditd)
Setting AUDIT_WRITE_LOGS to "yes" corrects this problem however we have
a requirement to disable these logs (i.e. AUDIT_WRITE_LOGS needs to be
set to "no")
After perusing the source I suspect that one of these unconditional
fclose()s is causing the problem...
git diff ./src/aureport.c
diff --git a/src/aureport.c b/src/aureport.c
index 22618f0..6359144 100644
--- a/src/aureport.c
+++ b/src/aureport.c
@@ -277,7 +277,8 @@ static int process_log_fd(const char *filename)
list_clear(entries);
free(entries);
} while (ret == 0);
- fclose(log_fd);
+ if (log_fd)
+ fclose(log_fd);
// This is the per file action items
very_last_event.sec = last_event.sec;
very_last_event.milli = last_event.milli;
git diff ./src/ausearch.c
diff --git a/src/ausearch.c b/src/ausearch.c
index 4a6bdae..df14df5 100644
--- a/src/ausearch.c
+++ b/src/ausearch.c
@@ -481,7 +481,8 @@ static int process_log_fd(void)
checkpt_failure |= CP_CORRUPTED;
list_clear(entries);
free(entries);
- fclose(log_fd);
+ if (log_fd)
+ fclose(log_fd);
return 10;
}
if (just_one) {
@@ -497,7 +498,8 @@ static int process_log_fd(void)
if (set_ChkPtLastEvent(&entries->e)) {
list_clear(entries);
free(entries);
- fclose(log_fd);
+ if (log_fd)
+ fclose(log_fd);
return 4; /* no memory */
}
}
@@ -505,7 +507,8 @@ static int process_log_fd(void)
list_clear(entries);
free(entries);
} while (ret == 0);
- fclose(log_fd);
+ if (log_fd)
+ fclose(log_fd);
return 0;
}
However I have not tested these changes. Even though this is a benign
problem I believe that it warrants a correction. Please open a ticket
and respond with the ticket id so that we can track this problem/solution.
--
Kind Regards,
Thomas Brown
Linux Developer
EPS PBU RT Solution Services
411 Leggett Drive
Suite 502
Kanata, ON, Canada
K2K 3C9
Tel: 613-963-1016
Fax: 613-599-1060
[-- Attachment #1.2: Type: text/html, Size: 19765 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: BUG: segfault on systemctl auditd stop
2021-08-11 17:32 BUG: segfault on systemctl auditd stop Brown, Thomas
@ 2021-08-11 19:04 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2021-08-11 19:04 UTC (permalink / raw)
To: linux-audit; +Cc: Brown, Thomas
Hello,
On Wednesday, August 11, 2021 1:32:37 PM EDT Brown, Thomas wrote:
> The following auditd segfault occurs during shutdown but can be
> reproduced using the service stop command...
Which version of the audit package is this? There was a known shutdown
problem on 3.0.3 that was fixed in 3.0.4.
> service auditd stop 2root@aug-test:/# 2021 Aug 4 12:47:22 aug-test
> Process 687 (auditd) of user 0 dumped core. 34Stack trace of thread 687:
> 5#0 0x00007f18bb1657e4 fclose (libc.so.6) 6#1 0x000055b88ab50ec0 n/a
> (auditd) 7#2 0x000055b88ab4e421 n/a (auditd) 8#3 0x000055b88ab4d9a7 n/a
> (auditd) 9#4 0x00007f18bb11a09b __libc_start_main (libc.so.6) 10#5
> 0x000055b88ab4df4a n/a (auditd)
This says auditd dumped core on a fclose. My guess would be that it's in
auditd-event.c.
> Setting AUDIT_WRITE_LOGS to "yes" corrects this problem however we have
> a requirement to disable these logs (i.e. AUDIT_WRITE_LOGS needs to be
> set to "no")
>
> After perusing the source I suspect that one of these unconditional
> fclose()s is causing the problem...
Thanks for looking. But the patch applies to standalone utilities rather than
the audit daemon.
<snip>
> However I have not tested these changes. Even though this is a benign
> problem I believe that it warrants a correction. Please open a ticket
> and respond with the ticket id so that we can track this problem/solution.
I am about to release audit-3.0.5 today. I think I see a couple places where
this could use an if (log_file). It would be helpful to know which version of
the audit package that you are using.
Thanks,
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-11 19:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-11 17:32 BUG: segfault on systemctl auditd stop Brown, Thomas
2021-08-11 19:04 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).