Bug 502473

Summary: Failure logging execve with lots of arguments
Product: Red Hat Enterprise Linux 4 Reporter: Matthew Booth <mbooth>
Component: kernelAssignee: Cong Wang <amwang>
Status: CLOSED ERRATA QA Contact: Petr Beňas <pbenas>
Severity: high Docs Contact:
Priority: medium    
Version: 4.8CC: eparis, pbenas, pstehlik, rkhan
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 509134 (view as bug list) Environment:
Last Closed: 2011-02-16 15:56:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 509134    
Attachments:
Description Flags
GDB session showing message received->return EBADE
none
fix message length accounting none

Description Matthew Booth 2009-05-25 12:17:28 UTC 
Created attachment 345304 [details]
GDB session showing message received->return EBADE

Description of problem:
Execute the following command:

seq 1 1000 | xargs echo

In the output, you get a single EXECVE record, which start with this:

type=EXECVE msg=audit(1243248052.942:49):  a857="857" a858="858"

The first 857 arguments have been lost.

The kernel is, however, emitting the preceding record. I've attached some gdb output which shows the problem. Here's a snippet:

102     len = recvfrom(fd, &rep->msg, sizeof(rep->msg), block|peek,
(gdb) n
105     if (len < 0) {
(gdb) print rep->msg
$4 = {nlh = {nlmsg_len = 9246, nlmsg_type = 1309, nlmsg_flags = 0,
    nlmsg_seq = 0, nlmsg_pid = 0},
  data = "audit(1243249450.436:190): argc=1001 a0=\"echo\" a1=\"1\" a2=\"2\" a3=\"3\" a4=\"4\" a5=\"5\" a6=\"6\" a7=\"7\" a8=\"8\" a9=\"9\" a10=\"10\" a11=\"11\" a12=\"12\" a13=\"13\" a14=\"14\" a15=\"15\" a16=\"16\" a17=\"17\" a18=\"18\" a19=\"19\" "...}
(gdb) print len
$5 = 8476

I don't understand why only 8476 bytes have been returned, as sizeof(rep->msg) is 8970 bytes + sizeof(struct nlmsghdr). However, it appears that this is incomplete, which later results in EBADE being returned.

This bug results in a predictable omission of data from the audit record.

Version-Release number of selected component (if applicable):
audit-libs-1.0.16-4.el4
Comment 1 Steve Grubb 2009-05-26 16:00:03 UTC 
Looking at the gdb output, libaudit tells the kernel how big its buffer is. The kernels sends the record. Libaudit checks a few things and then calls the NLMSG_OK macro. The record fails this test, so I would also lean towards this being a kernel bug.

Also, the RHEL4 user space implementation is not expecting split execve records.
Comment 2 Eric Paris 2009-05-26 23:05:30 UTC 
RHEL4 userspace has the choice of accepting split records or of handling records larger than 8k since RHEL4 can handle execve arguments >8k (always has been able to)

Anyway the problem appears to be in my accounting of how much information I had sent to userspace.  I forgot to account for the fact that strings are surrounded by ""  Thus in this case when jamming 800+ arguments into one message my accounting was off by 800*2 bytes.

Simple enough patch to fix my estimates.
Comment 3 Eric Paris 2009-05-26 23:06:10 UTC 
Created attachment 345543 [details]
fix message length accounting
Comment 5 RHEL Program Management 2009-07-02 21:43:49 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vivek Goyal 2009-07-28 17:22:39 UTC 
Committed in 89.7.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 Petr Beňas 2010-11-23 12:05:07 UTC 
Reproduced in 89.6.EL and verified in 89.7.EL.
Comment 12 errata-xmlrpc 2011-02-16 15:56:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html