Bug 402941 - ausearch segfaults if you're using -k and a logged watch doesn't have a filter key
ausearch segfaults if you're using -k and a logged watch doesn't have a filte...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: audit (Show other bugs)
4.0
i686 Linux
low Severity low
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-28 10:07 EST by Buck Huppmann
Modified: 2010-01-25 08:02 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0731
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:58:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a reproducer. run ausearch -k WHATEVER -f on it (657 bytes, text/plain)
2007-11-28 10:13 EST, Buck Huppmann
no flags Details

  None (edit)
Description Buck Huppmann 2007-11-28 10:07:33 EST
Description of problem:
segfault in ausearch if you're using -k and a logged watch event
doesn't have a key logged, b/c you didn't specify -k in all your
watches in audit.rules

Version-Release number of selected component (if applicable):
audit-1.0.15-3.EL4.1

How reproducible:
run ausearch on a log file generated under the specified conditions,
using -k

Steps to Reproduce:
1. put, e.g.,
   -w /etc/pam.d/
   in audit.rules and reload auditing
2. exercise pam by ssh-logging-in to the machine, say
3. ausearch -k whatever
  
Actual results:
Program received signal SIGSEGV, Segmentation fault.

Expected results:
no segfault

Additional info:
[Switching to Thread -1208764736 (LWP 5802)]
0x008d8061 in strstr () from /lib/tls/libc.so.6
(gdb) bt
#0  0x008d8061 in strstr () from /lib/tls/libc.so.6
#1  0x0804ede4 in strmatch (needle=0x8b07858 "LOG_", haystack=0x0)
    at ausearch-match.c:192
#2  0x0804ecf3 in match (l=0xbff611c0) at ausearch-match.c:161
#3  0x0804982c in process_file (filename=0x8b07868 "/root/audit.log")
    at ausearch.c:169
#4  0x0804950b in main (argc=6, argv=0xbff612f4) at ausearch.c:76
(gdb) up
#1  0x0804ede4 in strmatch (needle=0x8b07858 "LOG_", haystack=0x0)
    at ausearch-match.c:192
192                     if (strstr(haystack, needle) == NULL)
(gdb) up
#2  0x0804ecf3 in match (l=0xbff611c0) at ausearch-match.c:161
161                                                             if (strmatch(
(gdb) list 
156                                                     slist_first(sptr);
157                                                     sn=slist_get_cur(sptr);
158                                                     do {
159                                                             if (sn->str == NULL)
160                                                                     return 0;
161                                                             if (strmatch(
162                                                                     event_key,
163                                                                     sn->key)) {
164                                                                     found = 1;
165                                                                     break;
(gdb) list -
146                                                     return 0; 
147                                     }
148                                     if (event_key) {
149                                             if (l->s.filename == NULL)
150                                                     return 0;
151                                             else {
152                                                     int found = 0;
153                                                     const snode *sn;
154                                                     slist *sptr = l->s.filename;
155
(gdb) print *sn
$10 = {str = 0x8b079f8 "pam.d", key = 0x0, item = 0, hits = 1, next = 0x0}
(gdb) print *l
$11 = {head = 0x8b09bf0, cur = 0x0, cnt = 5, e = {sec = 1196257933, 
    milli = 891, serial = 352237}, s = {pid = 3711, uid = 0, euid = 0, 
    loginuid = 4294967295, gid = 0, egid = 0, success = 1, arch = 1073741827, 
    syscall = 5, hostname = 0x0, filename = 0x8b079e8, cwd = 0x0, exe = 0x0, 
    terminal = 0x0, comm = 0x0, scontext = 0x0, tcontext = 0x0, 
    avc_result = AVC_UNSET, avc_perm = 0x0, avc_class = 0x0, acct = 0x0}}
(gdb)

maybe

161c161
<                                                       if (strmatch(
---
>                                                       if (sn->key && strmatch(

i figure
Comment 1 Buck Huppmann 2007-11-28 10:13:32 EST
Created attachment 271401 [details]
a reproducer. run ausearch -k WHATEVER -f on it

sorry. this attachment got dropped
Comment 2 Steve Grubb 2007-11-28 10:19:31 EST
This should be easy to fix. Thanks for the reproducer.
Comment 3 RHEL Product and Program Management 2007-12-10 23:15:05 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Steve Grubb 2008-04-10 17:00:43 EDT
audit-1.0.16-1 was built to solve this problem.
Comment 9 errata-xmlrpc 2008-07-24 15:58:20 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0731.html

Note You need to log in before you can comment on or make changes to this bug.