Le 06/07/16 à 20:13, Steve Grubb a écrit :
Hello,
I revceived the strace file which made the email too big for the mail list.
I'm including the important part below.
On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
Le 06/07/16 à 18:23, Steve Grubb a écrit :
So, I'm note sure why you are getting a
core dump. If this is reproducible it might be good to get an strace to see
what is being handed to writev. Or maybe try it from valgrind to see if
that gives additional information.
Valgrind is a bit broken in debian unstable due to the compressed debug
symbols.
I've attached here the output of strace
[pid 1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259):
arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\"
subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364
[pid 1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC,
f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280,
f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_RELATIME}) = 0
This shows that it made it to write_to_log and then called check_log_file_size
[pid 1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
si_addr=0x90430527} ---
[pid 1602] +++ killed by SIGSEGV (core dumped) +++
+++ killed by SIGSEGV (core dumped) +++
The traceback is not accurate. We are somewhere else in the code. I am going
to bet that its crashing on trying to ack because in the netlink path its not
getting set to NULL. I updated svn with a 1 line fix. Can you either pull the
new code from svn and try it or add this patch to your build?
https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c
Let me know if this does it.
Seems to be OK with that patch,
Thanks
Laurent Bigonville
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
