Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1482121 - python audit crash due to dereferencing NULL auparse_state_t le field.
python audit crash due to dereferencing NULL auparse_state_t le field.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit (Show other bugs)
7.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Steve Grubb
Ondrej Moriš
:
Depends On:
Blocks: 1476406
  Show dependency treegraph
 
Reported: 2017-08-16 09:49 EDT by Paulo Andrade
Modified: 2018-04-10 08:20 EDT (History)
3 users (show)

See Also:
Fixed In Version: audit-2.7.8
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:18:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0760 None None None 2018-04-10 08:20 EDT

  None (edit)
Description Paulo Andrade 2017-08-16 09:49:00 EDT 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1475998,
Customer switched to use AUSOURCE_FILE:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f1a4d98f774 in auparse_get_type_name (au=0x17b6910) at auparse.c:1654
1654		rnode *r = aup_list_get_cur(au->le);
(gdb) p *au
$1 = {source = AUSOURCE_FILE, source_list = 0x17f3ba0, list_idx = 1, in = 0x0, line_number = 0, 
  next_buf = 0x0, off = 0, cur_buf = 0x0, line_pushed = 0, le = 0x0, expr = 0x0, find_field = 0x0, 
  search_where = AUSEARCH_STOP_EVENT, parse_state = EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0, 
    alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0x0, callback_user_data = 0x0, 
  callback_user_data_destroy = 0x0, au_lo = 0x17e70b0, au_ready = 0, escape_mode = AUPARSE_ESC_TTY}

but is still getting crashes from time to time. Apparently
always due to the aup_list_get_cur call, that must not receive
a NULL pointer:

static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; }

  Being a python module, I believe it should be more robust
regarding (possibly) malformed input (or unexpected pattern
in ausearch.log), or an unexpected sequence of calls to python
functions.

  Unfortunately currently there is no reproducer, but I am
working with the user to attempt to "save" the state when
a new crash happens, what should tell what input causes the
crash.
Comment 2 Steve Grubb 2017-08-16 10:58:07 EDT 
This kind of looks like its using the ausearch functions of auparse. Is there any possibility of finding out if it is setting up a search and what it's searching for?
Comment 5 Steve Grubb 2017-08-22 10:00:21 EDT 
By any chance do we have a reproducer?
Comment 6 Paulo Andrade 2017-08-22 10:06:43 EDT 
(In reply to Steve Grubb from comment #5)
> By any chance do we have a reproducer?

  I am afraid there is still not a reproducer. User was
instructed to attempt to save the input that caused the
crash, and when it happens, also save the script that
triggered it. But still waiting for it.

  I can provide you a coredump with the backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f1a4d98f774 in auparse_get_type_name (au=0x17b6910) at auparse.c:1654
1654		rnode *r = aup_list_get_cur(au->le);
(gdb) p *au
$1 = {source = AUSOURCE_FILE, ...

and the list of dependencies to load the coredump, as
you might find something else in the backtrace.
Comment 7 Steve Grubb 2017-08-22 13:57:59 EDT 
Without the script I can't tell much. For example, if it failed to open the file does it continue? Does it  call first_record and if so does it check the return code? au->le is only ever NULL when no event is available.

That said, I did find that auparse_get_type_name in the python bindings itself did not check if it got NULL from the C function. It now sets an error code rather than try to build a value. So, if the crash is in the bindings itself, then maybe upstream commit bc9051adb81645846a8b4ab25280d09082b2e12e may solve the issue.
Comment 8 Steve Grubb 2017-08-22 14:07:15 EDT 
Btw, the attached script, audit_report-1.py, appears to be OK. Not sure how similar that is to the one that is crashing.
Comment 9 Paulo Andrade 2017-08-22 14:21:09 EDT 
Actually, it just crashes on an empty file:

$ echo -n '' > /tmp/ausearch.log
$ python audit_report-1.py
Segmentation fault (core dumped)

This is why I suggested not calling aup.first_record()
and then a "while True:" loop. But my suggestion apparently
caused the script to miss the first entry.
Comment 11 Steve Grubb 2017-08-22 15:00:23 EDT 
OK, you are right. Without changing everything the program could do something like this:

if not aup.first_record():
    sys.exit(1)

So, the program is accessing an empty file and return codes are not being checked. You definitely can crash auparse through almost any function call when there is no selected event.
Comment 12 Steve Grubb 2017-08-22 17:28:32 EDT 
I checked in 2 patches that should fix this. I now get an exception when using the API with no event selected.
Comment 13 Steve Grubb 2017-09-20 11:03:51 EDT 
Built audit-2.7.8 to address this issue.
Comment 18 errata-xmlrpc 2018-04-10 08:18:47 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.