Re: Crash when loading the rules
On Wednesday, July 6, 2016 5:26:44 PM EDT Laurent Bigonville wrote:
Hello,
Le 06/07/16 à 17:23, Steve Grubb a écrit :
> On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
>> With 2.6.3, when loading the rules, it's crashing and I get the
>> following backtrace:
>>
>> #0 0x00007ffff687e99d in writev () at
>> ../sysdeps/unix/syscall-template.S:84 #1 0x00005555555610ab in
>> dispatch_event (rep=<optimized out>, is_err=0) at
>> ../../../src/auditd-dispatch.c:189
>> #2 0x000055555555a700 in distribute_event (e=0x555555779d80) at
>> ../../../src/auditd.c:216
>> #3 0x000055555555aac8 in netlink_handler (loop=<optimized out>,
>> io=<optimized out>, revents=<optimized out>) at
../../../src/auditd.c:500
> By any chance does syslog show that the dispatcher exited due to no active
> plugins?
This is what I see in syslog:
Jul 6 17:25:15 valinor systemd[1]: Starting Security Auditing Service...
Jul 6 17:25:15 valinor auditd[604]: Started dispatcher: /sbin/audispd
pid: 608
Jul 6 17:25:15 valinor audispd: priority_boost_parser called with: 4
Jul 6 17:25:15 valinor audispd: max_restarts_parser called with: 10
Jul 6 17:25:15 valinor audispd: No plugins found, exiting
OK. When this happens we should get a SIGCHLD which causes the handler to mark
the writev pipe descriptor as -1. This is checked for on the way to the
writev. So, maybe there is a race where the descriptor was ok at entry but the
child process was gone at writev time. This should have resulted in a SIGPIPE
when does not core dump but does terminate auditd. This can and should be
fixed.
However, you are getting a core dump. The only thing I can think of is if
vec[1].iov_base was assigned an invalid address. I tested this and I get
writev(6, [{"\1\0\0\0\20\0\0\0j\4\0\0\377\0\0\0", 16}, {NULL, 255}], 2) = -1
EFAULT (Bad address)
which also does not core dump. So, I'm note sure why you are getting a core
dump. If this is reproducible it might be good to get an strace to see what is
being handed to writev. Or maybe try it from valgrind to see if that gives
additional information.
-Steve
Jul 6 17:25:16 valinor kernel: [20575.773688] audit:
netlink_unicast
sending to audit_pid=604 returned error: -111
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Main process exited,
code=dumped, status=11/SEGV
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Unit entered failed
state.
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Failed with result
'core-dump'.