1482121 – python audit crash due to dereferencing NULL auparse_state_t le field.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1482121 - python audit crash due to dereferencing NULL auparse_state_t le field.

Summary: python audit crash due to dereferencing NULL auparse_state_t le field.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1476406
TreeView+	depends on / blocked

Reported:	2017-08-16 13:49 UTC by Paulo Andrade
Modified:	2021-06-10 12:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	audit-2.7.8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:18:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0760	0	None	None	None	2018-04-10 12:20:10 UTC

Description Paulo Andrade 2017-08-16 13:49:00 UTC

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1475998,
Customer switched to use AUSOURCE_FILE:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f1a4d98f774 in auparse_get_type_name (au=0x17b6910) at auparse.c:1654
1654		rnode *r = aup_list_get_cur(au->le);
(gdb) p *au
$1 = {source = AUSOURCE_FILE, source_list = 0x17f3ba0, list_idx = 1, in = 0x0, line_number = 0, 
  next_buf = 0x0, off = 0, cur_buf = 0x0, line_pushed = 0, le = 0x0, expr = 0x0, find_field = 0x0, 
  search_where = AUSEARCH_STOP_EVENT, parse_state = EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0, 
    alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0x0, callback_user_data = 0x0, 
  callback_user_data_destroy = 0x0, au_lo = 0x17e70b0, au_ready = 0, escape_mode = AUPARSE_ESC_TTY}

but is still getting crashes from time to time. Apparently
always due to the aup_list_get_cur call, that must not receive
a NULL pointer:

static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; }

  Being a python module, I believe it should be more robust
regarding (possibly) malformed input (or unexpected pattern
in ausearch.log), or an unexpected sequence of calls to python
functions.

  Unfortunately currently there is no reproducer, but I am
working with the user to attempt to "save" the state when
a new crash happens, what should tell what input causes the
crash.

Comment 2 Steve Grubb 2017-08-16 14:58:07 UTC

This kind of looks like its using the ausearch functions of auparse. Is there any possibility of finding out if it is setting up a search and what it's searching for?

Comment 5 Steve Grubb 2017-08-22 14:00:21 UTC

By any chance do we have a reproducer?

Comment 6 Paulo Andrade 2017-08-22 14:06:43 UTC

(In reply to Steve Grubb from comment #5)
> By any chance do we have a reproducer?

  I am afraid there is still not a reproducer. User was
instructed to attempt to save the input that caused the
crash, and when it happens, also save the script that
triggered it. But still waiting for it.

  I can provide you a coredump with the backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f1a4d98f774 in auparse_get_type_name (au=0x17b6910) at auparse.c:1654
1654		rnode *r = aup_list_get_cur(au->le);
(gdb) p *au
$1 = {source = AUSOURCE_FILE, ...

and the list of dependencies to load the coredump, as
you might find something else in the backtrace.

Comment 7 Steve Grubb 2017-08-22 17:57:59 UTC

Without the script I can't tell much. For example, if it failed to open the file does it continue? Does it  call first_record and if so does it check the return code? au->le is only ever NULL when no event is available.

That said, I did find that auparse_get_type_name in the python bindings itself did not check if it got NULL from the C function. It now sets an error code rather than try to build a value. So, if the crash is in the bindings itself, then maybe upstream commit bc9051adb81645846a8b4ab25280d09082b2e12e may solve the issue.

Comment 8 Steve Grubb 2017-08-22 18:07:15 UTC

Btw, the attached script, audit_report-1.py, appears to be OK. Not sure how similar that is to the one that is crashing.

Comment 9 Paulo Andrade 2017-08-22 18:21:09 UTC

Actually, it just crashes on an empty file:

$ echo -n '' > /tmp/ausearch.log
$ python audit_report-1.py
Segmentation fault (core dumped)

This is why I suggested not calling aup.first_record()
and then a "while True:" loop. But my suggestion apparently
caused the script to miss the first entry.

Comment 11 Steve Grubb 2017-08-22 19:00:23 UTC

OK, you are right. Without changing everything the program could do something like this:

if not aup.first_record():
    sys.exit(1)

So, the program is accessing an empty file and return codes are not being checked. You definitely can crash auparse through almost any function call when there is no selected event.

Comment 12 Steve Grubb 2017-08-22 21:28:32 UTC

I checked in 2 patches that should fix this. I now get an exception when using the API with no event selected.

Comment 13 Steve Grubb 2017-09-20 15:03:51 UTC

Built audit-2.7.8 to address this issue.

Comment 18 errata-xmlrpc 2018-04-10 12:18:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760

Note You need to log in before you can comment on or make changes to this bug.