Crash when loading the rules

Steve Grubb sgrubb at redhat.com
Wed Jul 6 16:23:23 UTC 2016 

On Wednesday, July 6, 2016 5:26:44 PM EDT Laurent Bigonville wrote:
Hello,

> Le 06/07/16 à 17:23, Steve Grubb a écrit :
> > On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
> >> With 2.6.3, when loading the rules, it's crashing and I get the
> >> following backtrace:
> >> 
> >> #0  0x00007ffff687e99d in writev () at
> >> ../sysdeps/unix/syscall-template.S:84 #1  0x00005555555610ab in
> >> dispatch_event (rep=<optimized out>, is_err=0) at
> >> ../../../src/auditd-dispatch.c:189
> >> #2  0x000055555555a700 in distribute_event (e=0x555555779d80) at
> >> ../../../src/auditd.c:216
> >> #3  0x000055555555aac8 in netlink_handler (loop=<optimized out>,
> >> io=<optimized out>, revents=<optimized out>) at ../../../src/auditd.c:500
>
> > By any chance does syslog show that the dispatcher exited due to no active
> > plugins?
> 
> This is what I see in syslog:
> 
> Jul  6 17:25:15 valinor systemd[1]: Starting Security Auditing Service...
> Jul  6 17:25:15 valinor auditd[604]: Started dispatcher: /sbin/audispd
> pid: 608
> Jul  6 17:25:15 valinor audispd: priority_boost_parser called with: 4
> Jul  6 17:25:15 valinor audispd: max_restarts_parser called with: 10
> Jul  6 17:25:15 valinor audispd: No plugins found, exiting

OK. When this happens we should get a SIGCHLD which causes the handler to mark 
the writev pipe descriptor as -1. This is checked for on the way to the 
writev. So, maybe there is a race where the descriptor was ok at entry but the 
child process was gone at writev time. This should have resulted in a SIGPIPE 
when does not core dump but does terminate auditd. This can and should be 
fixed.

However, you are getting a core dump. The only thing I can think of is if 
vec[1].iov_base was assigned an invalid address. I tested this and I get 

writev(6, [{"\1\0\0\0\20\0\0\0j\4\0\0\377\0\0\0", 16}, {NULL, 255}], 2) = -1 
EFAULT (Bad address)

which also does not core dump. So, I'm note sure why you are getting a core 
dump. If this is reproducible it might be good to get an strace to see what is 
being handed to writev. Or maybe try it from valgrind to see if that gives 
additional information.

-Steve

> Jul  6 17:25:16 valinor kernel: [20575.773688] audit: netlink_unicast
> sending to audit_pid=604 returned error: -111
> Jul  6 17:25:16 valinor systemd[1]: auditd.service: Main process exited,
> code=dumped, status=11/SEGV
> Jul  6 17:25:16 valinor systemd[1]: auditd.service: Unit entered failed
> state.
> Jul  6 17:25:16 valinor systemd[1]: auditd.service: Failed with result
> 'core-dump'.

More information about the Linux-audit mailing list