Hi,
I ran the csyslogd through valgrind and and found that the problem is that
fstat64 requires stat64 struct but calloc on csyslogd.c:48 is allocating
stat. fstat64 is corrupting the heap.
==13788== Syscall param fstat64(buf) points to unaddressable byte(s)
==13788== at 0x2545D3: __fxstat64@@GLIBC_2.2 (in /lib/libc-2.5.so)
==13788== by 0x806189B: *fstat64* (in /root/ossec-csyslogd)
==13788== by 0x805716C: *Handle_Queue* (file-queue.c:121)
==13788== by 0x8057294: *Init_FileQueue* (file-queue.c:165)
==13788== by 0x804A417: OS_CSyslogD (csyslogd.c:49)
==13788== by 0x804AD96: main (main.c:188)
==13788== Address 0x40370fc is 0 bytes after a block of size 372 alloc'd
==13788== at 0x4004C42: calloc (vg_replace_malloc.c:418)
==13788== by 0x804A3A1: OS_CSyslogD (csyslogd.c:48)
==13788== by 0x804AD96: main (main.c:188)
I attaching two patch files . fstat-debug.patch is how i debugged this
issue . csyslogd-crash-fix.patch has the actual fix.
Hope this helps
Sethu
On Friday, 17 May 2013 21:19:38 UTC-4, Jb Cheng wrote:
>
> csyslogd crashed when trying to read alerts.log file, at the line
> starting with '** Alert'.
> For example,
> ** Alert 1368839704.12015: - pam,syslog,authentication_success,
>
> It was trying to allocate memory for the alertid (e.g., 1368839704.12015)
> but failed to do so.
>
> If you can identify the alerts.log file lines when this happened, it may
> be useful.
> Also, which XML tag was causing it?
>
>
> On Saturday, May 11, 2013 8:32:55 AM UTC-7, Xme wrote:
>>
>> Hi Jb,
>>
>> FYI, I'm working on a patch for OSSEC and it makes my csyslogd crashing
>> too!
>> It coredumps here:
>>
>> (gdb) bt
>> #0 0x0025af40 in ?? () from /lib/tls/i686/cmov/libc.so.6
>> #1 0x0025cd4c in malloc () from /lib/tls/i686/cmov/libc.so.6
>> #2 0x0805a5e8 in GetAlertData (flag=0, fp=0x80791d0) at read-alert.c:246
>> #3 0x08058843 in Read_FileMon (fileq=0x807ddd8, p=0x3486a0, timeout=5)
>> at file-queue.c:225
>> #4 0x0804abab in OS_CSyslogD (syslog_config=0x807dfb0) at csyslogd.c:91
>> #5 0x0804b4f7 in main (argc=3, argv=0xbffff854) at main.c:185
>>
>> My patch uses a new XML directive in ossec.conf (global). When I disable
>> the new XML tag, csyslogd works like a charm
>> (version 2.7)
>>
>> Note: Branch is 2.7 stable and csyslogd code was NOT patched!
>>
>> On Thursday, April 18, 2013 2:28:40 AM UTC+2, Jb Cheng wrote:
>>>
>>> Dominique,
>>>
>>> Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 and
>>> see it the issue is still there?
>>>
>>> On Tuesday, April 9, 2013 12:00:23 PM UTC-7, Dominique Derrier wrote:
>>>>
>>>> Hi all,
>>>> On a fresh Install I've got :
>>>>
>>>> ./ossec-csyslogd -D /var/ossec -f
>>>> 2013/04/09 14:57:07 ossec-csyslogd: INFO: Started (pid: 17899).
>>>> *** glibc detected *** ./ossec-csyslogd: malloc(): memory corruption:
>>>> 0x08798990 ***
>>>> Aborted
>>>>
>>>> But no trouble with: -d flag
>>>> ./ossec-csyslogd -D /var/ossec -f -d
>>>>
>>>> Regards,
>>>> Dominique
>>>>
>>>> Le lundi 18 février 2013 08:07:45 UTC-5, Uldis Biks a écrit :
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I`m trying to enable log forwarding from ossec server to syslog by
>>>>> enabling client-syslog option from ossec-control script. Running
>>>>> ossec-control
>>>>> start shows that ossec-csyslogd is started but after that running
>>>>> ossec-control
>>>>> status ossec-csyslogd dies. When debug is enabled everything is
>>>>> working as it should and syslog receives messages. Ossec server 2.7, OS
>>>>> RHEL5.9 i386, selinux disabled.
>>>>> Any idea anyone where could be a problem?
>>>>>
>>>>> [root@~ bin]# ./ossec-control enable client-syslog
>>>>> [root@~ bin]# ./ossec-control restart
>>>>> Killing ossec-monitord ..
>>>>> Killing ossec-logcollector ..
>>>>> Killing ossec-remoted ..
>>>>> Killing ossec-syscheckd ..
>>>>> Killing ossec-analysisd ..
>>>>> ossec-maild not running ..
>>>>> ossec-execd not running ..
>>>>> ossec-csyslogd not running ..
>>>>> OSSEC HIDS v2.7 Stopped
>>>>> Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
>>>>> Started ossec-csyslogd...
>>>>> 2013/02/18 14:14:25 ossec-maild: INFO: E-Mail notification disabled.
>>>>> Clean Exit.
>>>>> Started
>>>>> ossec-maild...
>>>>> Started
>>>>> ossec-execd...
>>>>> Started
>>>>> ossec-analysisd...
>>>>> Started
>>>>> ossec-logcollector...
>>>>> Started
>>>>> ossec-remoted...
>>>>> Started
>>>>> ossec-syscheckd...
>>>>> Started
>>>>> ossec-monitord...
>>>>> Completed.
>>>>> [root@~ bin]# ./ossec-control status
>>>>> ossec-monitord is running...
>>>>> ossec-logcollector is running...
>>>>> ossec-remoted is running...
>>>>> ossec-syscheckd is running...
>>>>> ossec-analysisd is running...
>>>>> ossec-maild not running...
>>>>> ossec-execd not running...
>>>>> ossec-csyslogd: Process 6678 not used by ossec, removing ..
>>>>> ossec-csyslogd not running...
>>>>>
>>>>> ossec.log contains only one record about ossec-csyslogd, otherwise
>>>>> it`s clean.
>>>>> 2013/02/18 14:14:25 ossec-csyslogd: INFO: Started (pid: 6678).
>>>>>
>>>>> [root@~ bin]# ./ossec-control enable
>>>>> debug
>>>>> [root@~ bin]# ./ossec-control
>>>>> restart
>>>>> Killing ossec-monitord
>>>>> ..
>>>>>
>>>>>
>>>>> Killing ossec-logcollector
>>>>> ..
>>>>>
>>>>>
>>>>> Killing ossec-remoted
>>>>> ..
>>>>>
>>>>>
>>>>> Killing ossec-syscheckd
>>>>> ..
>>>>>
>>>>>
>>>>> Killing ossec-analysisd
>>>>> ..
>>>>>
>>>>>
>>>>> ossec-maild not running
>>>>> ..
>>>>>
>>>>>
>>>>> ossec-execd not running
>>>>> ..
>>>>>
>>>>>
>>>>> ossec-csyslogd not running
>>>>> ..
>>>>>
>>>>>
>>>>> OSSEC HIDS v2.7
>>>>> Stopped
>>>>>
>>>>>
>>>>> Starting OSSEC HIDS v2.7 (by Trend Micro
>>>>> Inc.)...
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting
>>>>> ...
>>>>> Started
>>>>> ossec-csyslogd...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-maild: DEBUG: Starting
>>>>> ...
>>>>> 2013/02/18 14:15:41 ossec-maild: INFO: E-Mail notification disabled.
>>>>> Clean Exit.
>>>>> Started
>>>>> ossec-maild...
>>>>>
>>>>>
>>>>> Started
>>>>> ossec-execd...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Starting
>>>>> ...
>>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Found user/group
>>>>> ...
>>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Active response
>>>>> initialized ...
>>>>> 2013/02/18 14:15:41 adding rule: ...... [adding all rules]
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Read configuration
>>>>> ...
>>>>> Started
>>>>> ossec-analysisd...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-logcollector: DEBUG: Starting
>>>>> ...
>>>>> Started
>>>>> ossec-logcollector...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-remoted: DEBUG: Starting
>>>>> ...
>>>>> Started
>>>>> ossec-remoted...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-rootcheck: DEBUG: Starting
>>>>> ...
>>>>> 2013/02/18 14:15:41 ossec-rootcheck: Starting queue
>>>>> ...
>>>>> 2013/02/18 14:15:42 ossec-syscheckd: INFO: (unix_domain) Maximum send
>>>>> buffer set to: '110592'.
>>>>> Started
>>>>> ossec-syscheckd...
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:42 ossec-monitord: DEBUG: Starting
>>>>> ...
>>>>> Started
>>>>> ossec-monitord...
>>>>>
>>>>>
>>>>> Completed.
>>>>> [root@~ bin]# ./ossec-control
>>>>> status
>>>>> ossec-monitord is
>>>>> running...
>>>>> ossec-logcollector is
>>>>> running...
>>>>> ossec-remoted is
>>>>> running...
>>>>> ossec-syscheckd is
>>>>> running...
>>>>> ossec-analysisd is
>>>>> running...
>>>>> ossec-maild not
>>>>> running...
>>>>> ossec-execd not
>>>>> running...
>>>>> ossec-csyslogd is running...
>>>>>
>>>>> ossec.log shows a bit more info now:
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting
>>>>> ...
>>>>>
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Chrooted to directory:
>>>>> /usr2/ossec, using user:
>>>>> ossecm
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Started (pid:
>>>>> 6883).
>>>>>
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: File queue
>>>>> connected.
>>>>>
>>>>>
>>>>>
>>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Forwarding alerts via syslog
>>>>> to: '[syslog servr ip]:514'.
>>>>>
>>>>> After disabling debug on status query process dies again.
>>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
diff -ru ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c ossec-hids-2.7/src/os_csyslogd/csyslogd.c
--- ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c 2012-11-08 21:24:55.000000000 -0500
+++ ossec-hids-2.7/src/os_csyslogd/csyslogd.c 2013-05-21 18:38:58.000000000 -0400
@@ -46,6 +46,12 @@
/* Initating file queue - to read the alerts */
os_calloc(1, sizeof(file_queue), fileq);
+ debug2("sizeof(file_queue) is %u " , sizeof(file_queue));
+ debug2("sizeof(struct stat) is %u " , sizeof(struct stat));
+ debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64));
+ debug2("&fileq = %x" ,fileq );
+ debug2("&fileq->f_status = %x" ,fileq );
+
while( (Init_FileQueue(fileq, p, 0) ) < 0 ) {
tries++;
if( tries > OS_CSYSLOGD_MAX_TRIES ) {
diff -ru ossec-hids-2.7-orig/src/os_maild/maild.c ossec-hids-2.7/src/os_maild/maild.c
--- ossec-hids-2.7-orig/src/os_maild/maild.c 2012-11-08 21:24:55.000000000 -0500
+++ ossec-hids-2.7/src/os_maild/maild.c 2013-05-21 18:41:01.000000000 -0400
@@ -214,6 +214,11 @@
i = 0;
i |= CRALERT_MAIL_SET;
os_calloc(1, sizeof(file_queue), fileq);
+ debug2("sizeof(file_queue) is %u " , sizeof(file_queue));
+ debug2("sizeof(struct stat) is %u " , sizeof(struct stat));
+ debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64));
+ debug2("&fileq = %x" ,fileq );
+ debug2("&fileq->f_status = %x" ,fileq );
Init_FileQueue(fileq, p, i);
diff -ru ossec-hids-2.7-orig/src/shared/file-queue.c ossec-hids-2.7/src/shared/file-queue.c
--- ossec-hids-2.7-orig/src/shared/file-queue.c 2012-11-08 21:24:55.000000000 -0500
+++ ossec-hids-2.7/src/shared/file-queue.c 2013-05-21 18:30:22.000000000 -0400
@@ -138,6 +138,14 @@
*/
int Init_FileQueue(file_queue *fileq, struct tm *p, int flags)
{
+
+ /* Debug messages */
+ debug2("sizeof(file_queue) is %u " , sizeof(file_queue));
+ debug2("sizeof(struct stat) is %u " , sizeof(struct stat));
+ debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64));
+ debug2("&fileq = %x" ,fileq );
+ debug2("&fileq->f_status = %x" ,fileq );
+
/* Initializing file_queue fields. */
if(!(flags & CRALERT_FP_SET))
{
diff -ru ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c ossec-hids-2.7/src/os_csyslogd/csyslogd.c
--- ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c 2012-11-08 21:24:55.000000000 -0500
+++ ossec-hids-2.7/src/os_csyslogd/csyslogd.c 2013-05-22 15:12:00.000000000 -0400
@@ -15,16 +15,12 @@
-/* strnlen is a GNU extension */
-#ifdef __linux__
- #define _GNU_SOURCE
- #include <string.h>
-#endif
+#include "shared.h"
+
#include "csyslogd.h"
#include "os_net/os_net.h"
-
/* OS_SyslogD: Monitor the alerts and sends them via syslog.
* Only return in case of error.
*/
