2375024 – [auditd 4.0.5] af_unix behavior broke in binary mode compared to previous versions

Bug 2375024 - [auditd 4.0.5] af_unix behavior broke in binary mode compared to previous versions

Summary: [auditd 4.0.5] af_unix behavior broke in binary mode compared to previous ver...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	42
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-26 17:56 UTC by situhaozhong
Modified:	2025-06-28 01:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	audit-4.0.5-2.fc42 audit-4.0.5-2.fc41
Clone Of:
Environment:
Last Closed:	2025-06-28 01:13:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description situhaozhong 2025-06-26 17:56:44 UTC

Affected OS: Fedora 41, 42
Affected arch: x86_64, arm64

The problematic config of af_unix.conf: (which is quite typical)

active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0640 /var/run/audispd_events string
format = binary

The same issue occurs when we skip the string part, i.e. use "args = 0640 /var/run/audispd_events" instead.



Reproducible: Always

Steps to Reproduce:
1. Use Audit 4.0.5-1, and set the af_unix.conf config to use format=binary, args=...... string
2. Restart the auditd service
3. Listen to /var/run/audispd_events via the nc command or your own agent


Actual Results:
On the same Fedora 41/42 host, once I upgrade to audit 4.0.5-1, no matter how many times I restart the auditd service, I could only receive corrupted data.
Here is the output I obtained via the same "nc -U /var/run/audispd_events -x out.bin" command:

0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d                                       msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0020   5b 30 5d 20 6d 73 67 3d  74 79 70 65 3d 55 4e 4b  [0].msg=type=UNK
0030   4e 4f 57 4e 5b 30 5d 20  6d 73 67 3d 74 79 70 65  NOWN[0].msg=type
0040   3d 55 4e 4b 4e 4f 57 4e  5b 30 5d 20 6d 73 67 3d  =UNKNOWN[0].msg=
0050   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0060   6d 73 67 3d                                       msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d                                       msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0020   5b 30 5d 20 6d 73 67 3d  74 79 70 65 3d 55 4e 4b  [0].msg=type=UNK
0030   4e 4f 57 4e 5b 30 5d 20  6d 73 67 3d 74 79 70 65  NOWN[0].msg=type
0040   3d 55 4e 4b 4e 4f 57 4e  5b 30 5d 20 6d 73 67 3d  =UNKNOWN[0].msg=
0050   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0060   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0070   5b 30 5d 20 6d 73 67 3d                           [0].msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0020   5b 30 5d 20 6d 73 67 3d  74 79 70 65 3d 55 4e 4b  [0].msg=type=UNK
0030   4e 4f 57 4e 5b 30 5d 20  6d 73 67 3d 74 79 70 65  NOWN[0].msg=type
0040   3d 55 4e 4b 4e 4f 57 4e  5b 30 5d 20 6d 73 67 3d  =UNKNOWN[0].msg=
0050   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0060   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0070   5b 30 5d 20 6d 73 67 3d                           [0].msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0020   5b 30 5d 20 6d 73 67 3d                           [0].msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d 74 79 70 65  3d 55 4e 4b 4e 4f 57 4e  msg=type=UNKNOWN
0020   5b 30 5d 20 6d 73 67 3d  74 79 70 65 3d 55 4e 4b  [0].msg=type=UNK
0030   4e 4f 57 4e 5b 30 5d 20  6d 73 67 3d 74 79 70 65  NOWN[0].msg=type
0040   3d 55 4e 4b 4e 4f 57 4e  5b 30 5d 20 6d 73 67 3d  =UNKNOWN[0].msg=
0000   74 79 70 65 3d 55 4e 4b  4e 4f 57 4e 5b 30 5d 20  type=UNKNOWN[0].
0010   6d 73 67 3d                                       msg=



Expected Results:
At Audit 4.0.3-2 (or 4.0.2-1 I believe), I can get string format events properly. Here is an example of how the output looks like when I cast them to an output file via "nc -U /var/run/audispd_events -x out.bin":

0000   74 79 70 65 3d 55 53 45  52 5f 53 54 41 52 54 20  type=USER_START.
0010   6d 73 67 3d 61 75 64 69  74 28 31 37 35 30 39 35  msg=audit(175095
0020   33 35 38 37 2e 30 31 38  3a 34 32 33 38 29 3a 20  3587.018:4238):.
0030   70 69 64 3d 32 32 33 33  20 75 69 64 3d 30 20 61  pid=2233.uid=0.a
0040   75 69 64 3d 31 30 30 30  20 73 65 73 3d 32 20 73  uid=1000.ses=2.s
0050   75 62 6a 3d 73 79 73 74  65 6d 5f 75 3a 73 79 73  ubj=system_u:sys
0060   74 65 6d 5f 72 3a 73 73  68 64 5f 74 3a 73 30 2d  tem_r:sshd_t:s0-
0070   73 30 3a 63 30 2e 63 31  30 32 33 20 6d 73 67 3d  s0:c0.c1023.msg=
0080   27 6f 70 3d 6c 6f 67 69  6e 20 69 64 3d 31 30 30  'op=login.id=100
0090   30 20 65 78 65 3d 22 2f  75 73 72 2f 6c 69 62 65  0.exe="/usr/libe
00a0   78 65 63 2f 6f 70 65 6e  73 73 68 2f 73 73 68 64  xec/openssh/sshd
00b0   2d 73 65 73 73 69 6f 6e  22 20 68 6f 73 74 6e 61  -session".hostna
00c0   6d 65 3d 3f 20 61 64 64  72 3d 31 30 2e 31 34 30  me=?.addr=10.140
00d0   2e 32 34 32 2e 31 33 30  20 74 65 72 6d 69 6e 61  .242.130.termina
00e0   6c 3d 73 73 68 20 72 65  73 3d 73 75 63 63 65 73  l=ssh.res=succes
00f0   73 27 1d 55 49 44 3d 22  72 6f 6f 74 22 20 41 55  s'.UID="root".AU
0100   49 44 3d 22 66 65 64 6f  72 61 22 20 49 44 3d 22  ID="fedora".ID="
0110   66 65 64 6f 72 61 22 0a                           fedora".

Comment 1 Steve Grubb 2025-06-26 18:00:38 UTC

This was fixed upstream 3 weeks ago
https://github.com/linux-audit/audit-userspace/commit/3ea61d367cf4456be3513adcdbb84714eb89d1ed

Comment 2 situhaozhong 2025-06-26 18:03:33 UTC

(In reply to Steve Grubb from comment #1)
> This was fixed upstream 3 weeks ago
> https://github.com/linux-audit/audit-userspace/commit/
> 3ea61d367cf4456be3513adcdbb84714eb89d1ed

(In reply to Steve Grubb from comment #1)
> This was fixed upstream 3 weeks ago
> https://github.com/linux-audit/audit-userspace/commit/
> 3ea61d367cf4456be3513adcdbb84714eb89d1ed

Thank you.
Could you clarify which versions are affected, and which version will have the fix?

Comment 3 Steve Grubb 2025-06-26 19:29:20 UTC

4.0.5 is broke for string. Everything else works for string. 4.0.5 is good for binary. Everything else is broke for binary. I'm pushing builds through the build system. Watch this bz for a link to the testing repo and please give it karma so that it rolls out to people sooner.

Comment 4 Fedora Update System 2025-06-26 20:01:01 UTC

FEDORA-2025-1593bd2c85 (audit-4.0.5-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-1593bd2c85

Comment 5 Fedora Update System 2025-06-26 20:01:03 UTC

FEDORA-2025-6c8ebc2322 (audit-4.0.5-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-6c8ebc2322

Comment 6 Fedora Update System 2025-06-27 02:34:44 UTC

FEDORA-2025-6c8ebc2322 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-6c8ebc2322`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-6c8ebc2322

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2025-06-27 02:41:02 UTC

FEDORA-2025-1593bd2c85 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-1593bd2c85`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-1593bd2c85

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2025-06-28 01:13:57 UTC

FEDORA-2025-1593bd2c85 (audit-4.0.5-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2025-06-28 01:45:24 UTC

FEDORA-2025-6c8ebc2322 (audit-4.0.5-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.