Hi, I ran the csyslogd through valgrind and and found that the problem is that fstat64 requires stat64 struct but calloc on csyslogd.c:48 is allocating stat. fstat64 is corrupting the heap.
==13788== Syscall param fstat64(buf) points to unaddressable byte(s) ==13788== at 0x2545D3: __fxstat64@@GLIBC_2.2 (in /lib/libc-2.5.so) ==13788== by 0x806189B: *fstat64* (in /root/ossec-csyslogd) ==13788== by 0x805716C: *Handle_Queue* (file-queue.c:121) ==13788== by 0x8057294: *Init_FileQueue* (file-queue.c:165) ==13788== by 0x804A417: OS_CSyslogD (csyslogd.c:49) ==13788== by 0x804AD96: main (main.c:188) ==13788== Address 0x40370fc is 0 bytes after a block of size 372 alloc'd ==13788== at 0x4004C42: calloc (vg_replace_malloc.c:418) ==13788== by 0x804A3A1: OS_CSyslogD (csyslogd.c:48) ==13788== by 0x804AD96: main (main.c:188) I attaching two patch files . fstat-debug.patch is how i debugged this issue . csyslogd-crash-fix.patch has the actual fix. Hope this helps Sethu On Friday, 17 May 2013 21:19:38 UTC-4, Jb Cheng wrote: > > csyslogd crashed when trying to read alerts.log file, at the line > starting with '** Alert'. > For example, > ** Alert 1368839704.12015: - pam,syslog,authentication_success, > > It was trying to allocate memory for the alertid (e.g., 1368839704.12015) > but failed to do so. > > If you can identify the alerts.log file lines when this happened, it may > be useful. > Also, which XML tag was causing it? > > > On Saturday, May 11, 2013 8:32:55 AM UTC-7, Xme wrote: >> >> Hi Jb, >> >> FYI, I'm working on a patch for OSSEC and it makes my csyslogd crashing >> too! >> It coredumps here: >> >> (gdb) bt >> #0 0x0025af40 in ?? () from /lib/tls/i686/cmov/libc.so.6 >> #1 0x0025cd4c in malloc () from /lib/tls/i686/cmov/libc.so.6 >> #2 0x0805a5e8 in GetAlertData (flag=0, fp=0x80791d0) at read-alert.c:246 >> #3 0x08058843 in Read_FileMon (fileq=0x807ddd8, p=0x3486a0, timeout=5) >> at file-queue.c:225 >> #4 0x0804abab in OS_CSyslogD (syslog_config=0x807dfb0) at csyslogd.c:91 >> #5 0x0804b4f7 in main (argc=3, argv=0xbffff854) at main.c:185 >> >> My patch uses a new XML directive in ossec.conf (global). When I disable >> the new XML tag, csyslogd works like a charm >> (version 2.7) >> >> Note: Branch is 2.7 stable and csyslogd code was NOT patched! >> >> On Thursday, April 18, 2013 2:28:40 AM UTC+2, Jb Cheng wrote: >>> >>> Dominique, >>> >>> Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 and >>> see it the issue is still there? >>> >>> On Tuesday, April 9, 2013 12:00:23 PM UTC-7, Dominique Derrier wrote: >>>> >>>> Hi all, >>>> On a fresh Install I've got : >>>> >>>> ./ossec-csyslogd -D /var/ossec -f >>>> 2013/04/09 14:57:07 ossec-csyslogd: INFO: Started (pid: 17899). >>>> *** glibc detected *** ./ossec-csyslogd: malloc(): memory corruption: >>>> 0x08798990 *** >>>> Aborted >>>> >>>> But no trouble with: -d flag >>>> ./ossec-csyslogd -D /var/ossec -f -d >>>> >>>> Regards, >>>> Dominique >>>> >>>> Le lundi 18 février 2013 08:07:45 UTC-5, Uldis Biks a écrit : >>>>> >>>>> Hi everyone, >>>>> >>>>> I`m trying to enable log forwarding from ossec server to syslog by >>>>> enabling client-syslog option from ossec-control script. Running >>>>> ossec-control >>>>> start shows that ossec-csyslogd is started but after that running >>>>> ossec-control >>>>> status ossec-csyslogd dies. When debug is enabled everything is >>>>> working as it should and syslog receives messages. Ossec server 2.7, OS >>>>> RHEL5.9 i386, selinux disabled. >>>>> Any idea anyone where could be a problem? >>>>> >>>>> [root@~ bin]# ./ossec-control enable client-syslog >>>>> [root@~ bin]# ./ossec-control restart >>>>> Killing ossec-monitord .. >>>>> Killing ossec-logcollector .. >>>>> Killing ossec-remoted .. >>>>> Killing ossec-syscheckd .. >>>>> Killing ossec-analysisd .. >>>>> ossec-maild not running .. >>>>> ossec-execd not running .. >>>>> ossec-csyslogd not running .. >>>>> OSSEC HIDS v2.7 Stopped >>>>> Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... >>>>> Started ossec-csyslogd... >>>>> 2013/02/18 14:14:25 ossec-maild: INFO: E-Mail notification disabled. >>>>> Clean Exit. >>>>> Started >>>>> ossec-maild... >>>>> Started >>>>> ossec-execd... >>>>> Started >>>>> ossec-analysisd... >>>>> Started >>>>> ossec-logcollector... >>>>> Started >>>>> ossec-remoted... >>>>> Started >>>>> ossec-syscheckd... >>>>> Started >>>>> ossec-monitord... >>>>> Completed. >>>>> [root@~ bin]# ./ossec-control status >>>>> ossec-monitord is running... >>>>> ossec-logcollector is running... >>>>> ossec-remoted is running... >>>>> ossec-syscheckd is running... >>>>> ossec-analysisd is running... >>>>> ossec-maild not running... >>>>> ossec-execd not running... >>>>> ossec-csyslogd: Process 6678 not used by ossec, removing .. >>>>> ossec-csyslogd not running... >>>>> >>>>> ossec.log contains only one record about ossec-csyslogd, otherwise >>>>> it`s clean. >>>>> 2013/02/18 14:14:25 ossec-csyslogd: INFO: Started (pid: 6678). >>>>> >>>>> [root@~ bin]# ./ossec-control enable >>>>> debug >>>>> [root@~ bin]# ./ossec-control >>>>> restart >>>>> Killing ossec-monitord >>>>> .. >>>>> >>>>> >>>>> Killing ossec-logcollector >>>>> .. >>>>> >>>>> >>>>> Killing ossec-remoted >>>>> .. >>>>> >>>>> >>>>> Killing ossec-syscheckd >>>>> .. >>>>> >>>>> >>>>> Killing ossec-analysisd >>>>> .. >>>>> >>>>> >>>>> ossec-maild not running >>>>> .. >>>>> >>>>> >>>>> ossec-execd not running >>>>> .. >>>>> >>>>> >>>>> ossec-csyslogd not running >>>>> .. >>>>> >>>>> >>>>> OSSEC HIDS v2.7 >>>>> Stopped >>>>> >>>>> >>>>> Starting OSSEC HIDS v2.7 (by Trend Micro >>>>> Inc.)... >>>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting >>>>> ... >>>>> Started >>>>> ossec-csyslogd... >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-maild: DEBUG: Starting >>>>> ... >>>>> 2013/02/18 14:15:41 ossec-maild: INFO: E-Mail notification disabled. >>>>> Clean Exit. >>>>> Started >>>>> ossec-maild... >>>>> >>>>> >>>>> Started >>>>> ossec-execd... >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Starting >>>>> ... >>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Found user/group >>>>> ... >>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Active response >>>>> initialized ... >>>>> 2013/02/18 14:15:41 adding rule: ...... [adding all rules] >>>>> >>>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Read configuration >>>>> ... >>>>> Started >>>>> ossec-analysisd... >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-logcollector: DEBUG: Starting >>>>> ... >>>>> Started >>>>> ossec-logcollector... >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-remoted: DEBUG: Starting >>>>> ... >>>>> Started >>>>> ossec-remoted... >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-rootcheck: DEBUG: Starting >>>>> ... >>>>> 2013/02/18 14:15:41 ossec-rootcheck: Starting queue >>>>> ... >>>>> 2013/02/18 14:15:42 ossec-syscheckd: INFO: (unix_domain) Maximum send >>>>> buffer set to: '110592'. >>>>> Started >>>>> ossec-syscheckd... >>>>> >>>>> >>>>> 2013/02/18 14:15:42 ossec-monitord: DEBUG: Starting >>>>> ... >>>>> Started >>>>> ossec-monitord... >>>>> >>>>> >>>>> Completed. >>>>> [root@~ bin]# ./ossec-control >>>>> status >>>>> ossec-monitord is >>>>> running... >>>>> ossec-logcollector is >>>>> running... >>>>> ossec-remoted is >>>>> running... >>>>> ossec-syscheckd is >>>>> running... >>>>> ossec-analysisd is >>>>> running... >>>>> ossec-maild not >>>>> running... >>>>> ossec-execd not >>>>> running... >>>>> ossec-csyslogd is running... >>>>> >>>>> ossec.log shows a bit more info now: >>>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting >>>>> ... >>>>> >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Chrooted to directory: >>>>> /usr2/ossec, using user: >>>>> ossecm >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Started (pid: >>>>> 6883). >>>>> >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: File queue >>>>> connected. >>>>> >>>>> >>>>> >>>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Forwarding alerts via syslog >>>>> to: '[syslog servr ip]:514'. >>>>> >>>>> After disabling debug on status query process dies again. >>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
diff -ru ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c ossec-hids-2.7/src/os_csyslogd/csyslogd.c --- ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c 2012-11-08 21:24:55.000000000 -0500 +++ ossec-hids-2.7/src/os_csyslogd/csyslogd.c 2013-05-21 18:38:58.000000000 -0400 @@ -46,6 +46,12 @@ /* Initating file queue - to read the alerts */ os_calloc(1, sizeof(file_queue), fileq); + debug2("sizeof(file_queue) is %u " , sizeof(file_queue)); + debug2("sizeof(struct stat) is %u " , sizeof(struct stat)); + debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64)); + debug2("&fileq = %x" ,fileq ); + debug2("&fileq->f_status = %x" ,fileq ); + while( (Init_FileQueue(fileq, p, 0) ) < 0 ) { tries++; if( tries > OS_CSYSLOGD_MAX_TRIES ) { diff -ru ossec-hids-2.7-orig/src/os_maild/maild.c ossec-hids-2.7/src/os_maild/maild.c --- ossec-hids-2.7-orig/src/os_maild/maild.c 2012-11-08 21:24:55.000000000 -0500 +++ ossec-hids-2.7/src/os_maild/maild.c 2013-05-21 18:41:01.000000000 -0400 @@ -214,6 +214,11 @@ i = 0; i |= CRALERT_MAIL_SET; os_calloc(1, sizeof(file_queue), fileq); + debug2("sizeof(file_queue) is %u " , sizeof(file_queue)); + debug2("sizeof(struct stat) is %u " , sizeof(struct stat)); + debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64)); + debug2("&fileq = %x" ,fileq ); + debug2("&fileq->f_status = %x" ,fileq ); Init_FileQueue(fileq, p, i); diff -ru ossec-hids-2.7-orig/src/shared/file-queue.c ossec-hids-2.7/src/shared/file-queue.c --- ossec-hids-2.7-orig/src/shared/file-queue.c 2012-11-08 21:24:55.000000000 -0500 +++ ossec-hids-2.7/src/shared/file-queue.c 2013-05-21 18:30:22.000000000 -0400 @@ -138,6 +138,14 @@ */ int Init_FileQueue(file_queue *fileq, struct tm *p, int flags) { + + /* Debug messages */ + debug2("sizeof(file_queue) is %u " , sizeof(file_queue)); + debug2("sizeof(struct stat) is %u " , sizeof(struct stat)); + debug2("sizeof(struct stat64) is %u " , sizeof(struct stat64)); + debug2("&fileq = %x" ,fileq ); + debug2("&fileq->f_status = %x" ,fileq ); + /* Initializing file_queue fields. */ if(!(flags & CRALERT_FP_SET)) {
diff -ru ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c ossec-hids-2.7/src/os_csyslogd/csyslogd.c --- ossec-hids-2.7-orig/src/os_csyslogd/csyslogd.c 2012-11-08 21:24:55.000000000 -0500 +++ ossec-hids-2.7/src/os_csyslogd/csyslogd.c 2013-05-22 15:12:00.000000000 -0400 @@ -15,16 +15,12 @@ -/* strnlen is a GNU extension */ -#ifdef __linux__ - #define _GNU_SOURCE - #include <string.h> -#endif +#include "shared.h" + #include "csyslogd.h" #include "os_net/os_net.h" - /* OS_SyslogD: Monitor the alerts and sends them via syslog. * Only return in case of error. */