Crash when loading the rules

Laurent Bigonville bigon at debian.org
Thu Jul 7 09:35:05 UTC 2016 

Le 06/07/16 à 20:13, Steve Grubb a écrit :
> Hello,
>
> I revceived the strace file which made the email too big for the mail list.
> I'm including the important part below.
>
> On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
>> Le 06/07/16 à 18:23, Steve Grubb a écrit :
>>> So, I'm note sure why you are getting a
>>> core dump. If this is reproducible it might be good to get an strace to see
>>> what is being handed to writev. Or maybe try it from valgrind to see if
>>> that gives additional information.
>> Valgrind is a bit broken in debian unstable due to the compressed debug
>> symbols.
>>
>> I've attached here the output of strace
>
> [pid  1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259): arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\" subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364
> [pid  1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280, f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
>
> This shows that it made it to write_to_log and then called check_log_file_size
>
> [pid  1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x90430527} ---
> [pid  1602] +++ killed by SIGSEGV (core dumped) +++
> +++ killed by SIGSEGV (core dumped) +++
>
> The traceback is not accurate. We are somewhere else in the code. I am going
> to bet that its crashing on trying to ack because in the netlink path its not
> getting set to NULL. I updated svn with a 1 line fix. Can you either pull the
> new code from svn and try it or add this patch to your build?
>
> https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c
>
> Let me know if this does it.

Seems to be OK with that patch,

Thanks

Laurent Bigonville

More information about the Linux-audit mailing list