Bug 1224538 - [abrt] rsyslog: SanitizeMsg(): rsyslogd killed by SIGSEGV
Summary: [abrt] rsyslog: SanitizeMsg(): rsyslogd killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rsyslog
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Heinrich
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:32739bb36058dfd61123a502a95...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-24 10:10 UTC by Andrew McCoull
Modified: 2016-09-20 04:52 UTC (History)
15 users (show)

Fixed In Version: rsyslog-8.8.0-3.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-16 02:33:10 UTC
Type: ---


Attachments (Terms of Use)
File: backtrace (26.53 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: cgroup (194 bytes, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: core_backtrace (1.12 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: dso_list (2.23 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: environ (123 bytes, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: limits (1.29 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: maps (29.30 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: mountinfo (2.90 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: namespaces (85 bytes, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: open_fds (14.04 KB, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details
File: proc_pid_status (920 bytes, text/plain)
2015-05-24 10:10 UTC, Andrew McCoull
no flags Details

Description Andrew McCoull 2015-05-24 10:10:17 UTC
Description of problem:
No specific unusual actions. I was browsing in Firefox at the time.

Version-Release number of selected component:
rsyslog-8.8.0-2.fc22

Additional info:
reporter:       libreport-2.5.1
backtrace_rating: 4
cmdline:        /usr/sbin/rsyslogd -n
crash_function: SanitizeMsg
executable:     /usr/sbin/rsyslogd
global_pid:     804
kernel:         4.0.4-300.fc22.x86_64
runlevel:       unknown
type:           CCpp
uid:            0
var_log_messages: [System Logs]:\n-- Logs begin at Thu 2014-03-06 21:34:57 GMT, end at Sun 2015-05-24 10:46:53 BST. --

Truncated backtrace:
Thread no. 1 (5 frames)
 #0 SanitizeMsg at parser.c:483
 #1 enqMsg at imjournal.c:193
 #2 readjournal at imjournal.c:415
 #3 runInput at imjournal.c:634
 #4 thrdStarter at ../threads.c:212

Comment 1 Andrew McCoull 2015-05-24 10:10:20 UTC
Created attachment 1029171 [details]
File: backtrace

Comment 2 Andrew McCoull 2015-05-24 10:10:21 UTC
Created attachment 1029172 [details]
File: cgroup

Comment 3 Andrew McCoull 2015-05-24 10:10:22 UTC
Created attachment 1029173 [details]
File: core_backtrace

Comment 4 Andrew McCoull 2015-05-24 10:10:24 UTC
Created attachment 1029174 [details]
File: dso_list

Comment 5 Andrew McCoull 2015-05-24 10:10:25 UTC
Created attachment 1029175 [details]
File: environ

Comment 6 Andrew McCoull 2015-05-24 10:10:26 UTC
Created attachment 1029176 [details]
File: limits

Comment 7 Andrew McCoull 2015-05-24 10:10:28 UTC
Created attachment 1029177 [details]
File: maps

Comment 8 Andrew McCoull 2015-05-24 10:10:29 UTC
Created attachment 1029178 [details]
File: mountinfo

Comment 9 Andrew McCoull 2015-05-24 10:10:30 UTC
Created attachment 1029179 [details]
File: namespaces

Comment 10 Andrew McCoull 2015-05-24 10:10:32 UTC
Created attachment 1029180 [details]
File: open_fds

Comment 11 Andrew McCoull 2015-05-24 10:10:33 UTC
Created attachment 1029181 [details]
File: proc_pid_status

Comment 12 Tomas Heinrich 2015-06-23 16:57:24 UTC
I haven't seen a crash, but I can observe the issue under valgrind.
Can be reproduced with something like:
python -c "from systemd import journal; journal.send('', SYSLOG_FACILITY='10', PRIORITY='4')"
Will be fixed with the next update.

Comment 13 Chris Siebenmann 2015-06-30 16:24:47 UTC
I get what seems to be the same crash. Under gdb (running with
'run -n -d') I see:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd0055700 (LWP 15787)]
SanitizeMsg (pMsg=0x7fffc829b760) at parser.c:483
483                     if((pszMsg[iSrc] < 32) && (pszMsg[iSrc] != '\t' || glbl.GetParserEscapeControlCharacterTab())) {
(gdb) where
#0  SanitizeMsg (pMsg=0x7fffc829b760) at parser.c:483
#1  0x00007ffff63a5030 in enqMsg (json=0x7fffc829a770, tp=0x7fffd0054ca0, iSeverity=6, iFacility=3, 
    pszTag=0x7fffc8293a80 "vmnet-dhcpd:", msg=0x7fffc82908c0 "") at imjournal.c:193
#2  readjournal () at imjournal.c:415
#3  runInput (pThrd=<optimized out>) at imjournal.c:634
#4  0x0000555555598280 in thrdStarter (arg=0x55555581e6a0) at ../threads.c:212
#5  0x00007ffff79b1555 in start_thread (arg=0x7fffd0055700) at pthread_create.c:333
#6  0x00007ffff68aff3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

My personal view is that this is a high-priority issue as it can
completely cripple syslog logging on Fedora 22 machines (and since
it involves a SEGV based on user-generated input, is it possible
that this is a security issue?).

Comment 14 Fedora Update System 2015-07-02 16:20:52 UTC
rsyslog-8.8.0-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/rsyslog-8.8.0-3.fc22

Comment 15 Fedora Update System 2015-07-03 18:33:42 UTC
Package rsyslog-8.8.0-3.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rsyslog-8.8.0-3.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11039/rsyslog-8.8.0-3.fc22
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2015-07-16 02:33:10 UTC
rsyslog-8.8.0-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.