Bug 67606 - expandrepeats can cause resource exhaustion
expandrepeats can cause resource exhaustion
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
7.2
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Elliot Lee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-06-27 23:45 EDT by Martin Pool
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-06-27 23:45:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Pool 2002-06-27 23:45:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615
Debian/1.0.0-3

Description of problem:
One of the scripts in logwatch tries to expand lines like

  previous message repeated 110229 times

into 110230 repetitions of the line in a temporary file.  If there are many such
messages, or if the counts are very large, then the machine can run out of disk
space or even VM.  

This occurred on one of our machines when it was apparently attacked by somebody
looking for CDE or portmapper vulnerabilities -- it received many thousands of
probe packets, which were detected and logged by portsentry via syslogd.  So far
so good.  However, when the cron job ran, the machine worked itself into a state
of near exhaustion trying to expand the log file entries.  So what should have
been a minor security warning turned into a major problem for machine
availability.  At the point where I interrupted it, the temporary file was 60GB
(sparse) and growing.

You can imagine a malicious local user provoking the bug by just writing a
single syslog message that looks like an enormous repeat count.

It seems to me that this is a design flaw in logwatch.  I think we will just
turn it off for the time being.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Do something to get a "previous message repeated n times" message in
/var/log/messages, for large n
2. Start the cron job
3.
	

Actual Results:  Machine grinds to a halt, with an enormous tmp file

Expected Results:  Should have got the regular warning message, but without
using so much disk space.

Additional info:

Possibly this has been fixed in a later version of logwatch?  I don't know
because their web site seems to be unreachable at the moment.
Comment 1 Elliot Lee 2002-07-11 15:06:33 EDT
Fixed in 2.6-6 (removed expandrepeats)

Note You need to log in before you can comment on or make changes to this bug.