Bug#985383: auditd: Stopping of auditd service cause segmentation fault
Control: fixed -1 1:3.0-2 Control: tags -1 + upstream fixed-upstream Dear Maintainer, I tried to reproduce this issue and got this backtrace: (gdb) bt #0 0x7f52d57cf7e4 in _IO_new_fclose (fp=0x0) at iofclose.c:48 #1 0x55884d86fec0 in shutdown_events () at ../../../src/auditd-event.c:122 #2 0x55884d86d421 in close_down () at ../../../src/auditd.c:1012 #3 0x55884d86c9a7 in main (argc=, argv=) at ../../../src/auditd.c:995 https://sources.debian.org/src/audit/1:2.8.4-3/src/auditd-event.c/#L122 It looks like upstream has already fixed this issue in this commit, which is already included in current version in testing: https://github.com/linux-audit/audit-userspace/commit/e42602b7b246ae62e7a12e9cd91f0ac37b1b1968 https://sources.debian.org/src/audit/1:3.0-2/src/auditd-event.c/#L142 Kind regards, Bernhard # single-use Buster/stable amd64 qemu VM 2021-03-31 apt update apt dist-upgrade apt install systemd-coredump mc gdb auditd auditd-dbgsym service auditd stop cp -a /etc/audit/auditd.conf /etc/audit/auditd.conf.orig sed -i 's@write_logs = yes@write_logs = no@g' /etc/audit/auditd.conf sed -i 's@log_file = /var/log/audit/audit.log@#log_file =@g' /etc/audit/auditd.conf service auditd start service auditd stop journalctl -f Mär 31 17:00:07 debian systemd[1]: Stopping Security Auditing Service... Mär 31 17:00:07 debian audit[1261]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=1261 comm="auditd" exe="/usr/sbin/auditd" sig=11 res=1 Mär 31 17:00:07 debian kernel: auditd[1261]: segfault at 0 ip 7f52d57cf7e4 sp 7ffe709d0790 error 4 in libc-2.28.so[7f52d5782000+148000] Mär 31 17:00:07 debian kernel: Code: 00 64 44 89 23 85 c0 75 d4 e9 3b ff ff ff 0f 1f 84 00 00 00 00 00 e8 fb a4 00 00 e9 09 ff ff ff e8 d1 af 09 00 90 41 54 55 53 <8b> 07 48 89 fb f6 c4 20 0f 85 9e 00 00 00 89 c2 81 e2 00 80 00 00 Mär 31 17:00:07 debian systemd[1]: Created slice system-systemd\x2dcoredump.slice. Mär 31 17:00:07 debian systemd[1]: Started Process Core Dump (PID 1304/UID 0). Mär 31 17:00:07 debian audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-coredump@0-1304-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mär 31 17:00:07 debian systemd[1]: auditd.service: Main process exited, code=dumped, status=11/SEGV Mär 31 17:00:07 debian systemd[1]: auditd.service: Failed with result 'core-dump'. Mär 31 17:00:07 debian systemd[1]: Stopped Security Auditing Service. Mär 31 17:00:07 debian audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mär 31 17:00:07 debian kernel: audit: type=1131 audit(1617202807.556:30): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mär 31 17:00:07 debian systemd-coredump[1305]: Process 1261 (auditd) of user 0 dumped core. Stack trace of thread 1261: #0 0x7f52d57cf7e4 fclose (libc.so.6) #1 0x55884d86fec0 n/a (auditd) #2 0x55884d86d421 n/a (auditd) #3 0x55884d86c9a7 n/a (auditd) #4 0x7f52d578409b __libc_start_main (libc.so.6) #5 0x55884d86cf4a n/a (auditd) Mär 31 17:00:07 debian systemd[1]: systemd-coredump@0-1304-0.service: Succeeded. Mär 31 17:00:07 debian audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-coredump@0-1304-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mär 31 17:00:07 debian kernel: audit: type=1131 audit(1617202807.592:31): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-coredump@0-1304-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' root@debian:~# coredumpctl list TIMEPID UID GID SIG COREFILE EXE Wed 2021-03-31 17:00:07 CEST 1261 0 0 11 present /usr/sbin/auditd root@debian:~# coredumpctl gdb 1261 PID: 1261 (auditd) UID: 0 (root) GID: 0 (root) Signal: 11 (SEGV) Timestamp: Wed 2021-03-31 17:00:07 CEST (1min 30s ago) Command Line: /sbin/auditd Executable: /usr/sbin/auditd Control Group: /system.slice/auditd.service Unit: auditd.service Slice: system.slice Boot ID: 13704ca5860b4e1ca1d50c521516559a Machine ID: 33f18f39d2a9438eb75b0ed52848afcd
Bug#985383: auditd: Stopping of auditd service cause segmentation fault
Package: auditd Version: 1:2.8.4-3 Severity: important Tags: upstream Dear Maintainer, * What led up to the situation? Stop auditd service using 'service auditd stop' Modify the following settings in /etc/audit/auditd.conf: write_logs = no #log_file = * What exactly did you do (or not do) that was effective (or ineffective)? Start the auditd service using 'service auditd start'; and then Stop the auditd service using 'service auditd stop' Check the status of auditd using 'service auditd status' * What was the outcome of this action? auditd status is showing the following: ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: core-dump) since Wed 2021-03-17 09:39:27 ACDT; 2s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9564 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Process: 9569 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Main PID: 9565 (code=dumped, signal=SEGV) * What outcome did you expect instead? Expected auditd not to seg fault. Following is the expected outcome: ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2021-03-17 10:04:16 ACDT; 1s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9705 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Process: 9710 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Main PID: 9706 (code=exited, status=0/SUCCESS) -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages auditd depends on: ii libaudit1 1:2.8.4-3 ii libauparse0 1:2.8.4-3 ii libc6 2.28-10 ii libgssapi-krb5-2 1.17-3+deb10u1 ii libkrb5-3 1.17-3+deb10u1 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii mawk 1.3.3-17+b3 auditd recommends no packages. Versions of packages auditd suggests: pn audispd-plugins -- Configuration Files: /etc/audisp/audispd.conf [Errno 13] Permission denied: '/etc/audisp/audispd.conf' /etc/audisp/plugins.d/af_unix.conf [Errno 13] Permission denied: '/etc/audisp/plugins.d/af_unix.conf' /etc/audisp/plugins.d/syslog.conf [Errno 13] Permission denied: '/etc/audisp/plugins.d/syslog.conf' /etc/audit/audit-stop.rules [Errno 13] Permission denied: '/etc/audit/audit-stop.rules' /etc/audit/auditd.conf [Errno 13] Permission denied: '/etc/audit/auditd.conf' /etc/audit/rules.d/audit.rules [Errno 13] Permission denied: '/etc/audit/rules.d/audit.rules' -- no debconf information