From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Bug#859120: ausearch -i segfault
Date: Thu, 30 Mar 2017 13:16:46 -0400
Message-ID: <31726054.vLjpktXK65@x2>
References: <CAJ2a_Dc6nVRvcwgOe8j50vC=XxWjptPyNdH8noVZkU5hY0_wvg@mail.gmail.com>
	<c1e4b71b-27fc-4399-d671-da156beac6fa@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <c1e4b71b-27fc-4399-d671-da156beac6fa@debian.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: 859120-forwarded@bugs.debian.org, cgzones <cgzones@googlemail.com>
List-Id: linux-audit@redhat.com

Hello,

On Thursday, March 30, 2017 12:27:29 PM EDT Laurent Bigonville wrote:
> Le 30/03/17 =E0 15:56, cgzones a =E9crit :
> I just received the following bug in debian:
> > ausearch segfaults on the following input in interpret mode:
> > =

> > /sbin/ausearch -i --input file
> > =

> > type=3DAVC msg=3Daudit(1490829425.686:121): avc:  denied  { bind } for
> > pid=3D1034 comm=3D"darkstat" scontext=3Dsystem_u:system_r:darkstat_t:s0
> > tcontext=3Dsystem_u:system_r:darkstat_t:s0 tclass=3Dpacket_socket
> > permissive=3D0
> > type=3DSYSCALL msg=3Daudit(1490829425.686:121): arch=3Dc000003e syscall=
=3D49
> > success=3Dno exit=3D-13 a0=3D3 a1=3D7ffce52e04b0 a2=3D14 a3=3D373 items=
=3D0
> > ppid=3D1033 pid=3D1034 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=
=3D0 fsuid=3D0
> > egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D"darks=
tat"
> > exe=3D"/usr/sbin/darkstat" subj=3Dsystem_u:system_r:darkstat_t:s0
> > key=3D(null)
> > type=3DSOCKADDR msg=3Daudit(1490829425.686:121):
> > saddr=3D1100000302000000000000000000000000000000
> > type=3DPROCTITLE msg=3Daudit(1490829425.686:121):
> > proctitle=3D2F7573722F7362696E2F6461726B73746174002D6900656E70307333002=
D2D63
> > 68726F6F74002F7661722F6C69622F6461726B73746174002D2D70696466696C65002F7=
661
> > 722F72756E2F6461726B737461742E706964002D2D696D706F7274006461726B7374617=
42E
> > 6462002D2D6578706F7274006461726B737461742E64
> The user is running version 2.6.7 (the version that will be shipped in
> the upcoming stable release).

I just committed the fix for this. You can find it is here:
https://github.com/linux-audit/audit-userspace/commit/f85cb62f10644e347c165=
41c8aa988219a3b3501

Thanks for reporting it.

-Steve

> I can actually reproduce the issue with the following one line:
> =

> type=3DSOCKADDR msg=3Daudit(1490829425.686:121):
> saddr=3D1100000302000000000000000000000000000000
> =

> I got the following stacktrace:
> =

> #0  strlen () at ../sysdeps/x86_64/strlen.S:106
> #1  0x00007ffff79a04da in auparse_do_interpretation (type=3Dtype@entry=3D=
9,
> id=3Did@entry=3D0x7fffffffde00) at ../../../auparse/interpret.c:2917
> #2  0x000055555555d3f1 in interpret (rtype=3D1306, comma=3D0,
> val=3D0x555555771a93 "1100000302", '0' <repeats 30 times>, name=3D<optimi=
zed
> out>) at ../../../src/ausearch-report.c:359
> #3  output_interpreted_node (n=3D0x555555771bd0, e=3De@entry=3D0x55555577=
1ae8)
> at ../../../src/ausearch-report.c:296
> #4  0x000055555555d9e3 in output_interpreted (l=3D0x555555771ad0) at
> ../../../src/ausearch-report.c:151
> #5  output_record (l=3D0x555555771ad0) at ../../../src/ausearch-report.c:=
80
> #6  0x0000555555557cac in process_log_fd () at ../../../src/ausearch.c:445
> #7  0x000055555555782b in main (argc=3D4, argv=3D0x7fffffffe098) at
> ../../../src/ausearch.c:140
> =

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit