Bug 67606 - expandrepeats can cause resource exhaustion
Summary: expandrepeats can cause resource exhaustion
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logwatch
Version: 7.2
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-06-28 03:45 UTC by Martin Pool
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-06-28 03:45:21 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Pool 2002-06-28 03:45:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615
Debian/1.0.0-3

Description of problem:
One of the scripts in logwatch tries to expand lines like

  previous message repeated 110229 times

into 110230 repetitions of the line in a temporary file.  If there are many such
messages, or if the counts are very large, then the machine can run out of disk
space or even VM.  

This occurred on one of our machines when it was apparently attacked by somebody
looking for CDE or portmapper vulnerabilities -- it received many thousands of
probe packets, which were detected and logged by portsentry via syslogd.  So far
so good.  However, when the cron job ran, the machine worked itself into a state
of near exhaustion trying to expand the log file entries.  So what should have
been a minor security warning turned into a major problem for machine
availability.  At the point where I interrupted it, the temporary file was 60GB
(sparse) and growing.

You can imagine a malicious local user provoking the bug by just writing a
single syslog message that looks like an enormous repeat count.

It seems to me that this is a design flaw in logwatch.  I think we will just
turn it off for the time being.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Do something to get a "previous message repeated n times" message in
/var/log/messages, for large n
2. Start the cron job
3.
	

Actual Results:  Machine grinds to a halt, with an enormous tmp file

Expected Results:  Should have got the regular warning message, but without
using so much disk space.

Additional info:

Possibly this has been fixed in a later version of logwatch?  I don't know
because their web site seems to be unreachable at the moment.

Comment 1 Elliot Lee 2002-07-11 19:06:33 UTC
Fixed in 2.6-6 (removed expandrepeats)


Note You need to log in before you can comment on or make changes to this bug.