On Mon, Dec 2, 2013 at 3:10 PM, Darin Perusich <[email protected]> wrote:
> On Wed, Nov 27, 2013 at 12:23 PM, Darin Perusich <[email protected]> wrote:
>> On Wed, Nov 27, 2013 at 12:22 PM, Darin Perusich <[email protected]> wrote:
>>> --
>>> Later,
>>> Darin
>>>
>>>
>>> On Wed, Nov 27, 2013 at 12:11 PM, dan (ddp) <[email protected]> wrote:
>>>> On Wed, Nov 27, 2013 at 11:41 AM, Darin Perusich <[email protected]> wrote:
>>>>> On Tue, Nov 26, 2013 at 2:15 PM, Darin Perusich <[email protected]> wrote:
>>>>>> On Tue, Nov 26, 2013 at 12:59 PM, dan (ddp) <[email protected]> wrote:
>>>>>>> On Tue, Nov 26, 2013 at 12:57 PM, Darin Perusich <[email protected]>
>>>>>>> wrote:
>>>>>>>> This "fixed" remoted. What's so special about this included zlib,
>>>>>>>> other then being 8.5 years old and getting ever more unmaintained? I
>>>>>>>> haven't had a chance to diff it against upstream yet.
>>>>>>>>
>>>>>>>
>>>>>>> I don't know actually. I remember the Debian folks mentioning
>>>>>>> differences and possibly trying to push some upstream.
>>>>>>>
>>>>>>
>>>>>> Looks I spoke to soon, I'm still getting the segfault with
>>>>>> ossec-remoted built against the provided zlib. This is giving me a bit
>>>>>> of a headache. Let me keep poking around and see if I can come up with
>>>>>> anything else.
>>>>>
>>>>> Ok, so I'm looking at this again and ossec-remoted is built with the
>>>>> provided zlib and it's still segfaulting. What other info can I
>>>>> provide to keep this moving, any additional gdb output, valgrind,
>>>>> building w/specify debug flags (other then -g)?
>>>>>
>>>>
>>>> Is the trace in gdb the same?
>>>>
>>>
>>> It is but's here's the output again.
>>>
>>> # gdb /var/ossec/bin/ossec-remoted
>>> GNU gdb (GDB) SUSE (7.5.1-2.1.1)
>>> Copyright (C) 2012 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later
>>> <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "x86_64-suse-linux".
>>> For bug reporting instructions, please see:
>>> <http://www.gnu.org/software/gdb/bugs/>...
>>> Reading symbols from /var/ossec/bin/ossec-remoted...done.
>>> (gdb) set follow-fork-mode child
>>> (gdb) run -d
>>> Starting program: /var/ossec/bin/ossec-remoted -d
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>> 2013/11/27 12:21:22 ossec-remoted: DEBUG: Starting ...
>>> [New process 3486]
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>> [New process 3487]
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>> [New process 3488]
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>> [New Thread 0x7ffff6fd8700 (LWP 3489)]
>>> [New Thread 0x7ffff67d7700 (LWP 3490)]
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> [Switching to Thread 0x7ffff7fdf700 (LWP 3488)]
>>> 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at msgs.c:89
>>> warning: Source file is more recent than executable.
>>> 89 if((keys->keyentries[i -1]->fp) && (i > 10))
>>> (gdb) where
>>> #0 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at
>>> msgs.c:89
>>> #1 0x0000000000404845 in HandleSecure () at secure.c:85
>>> #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at
>>> remoted.c:102
>>> #3 0x0000000000403234 in main (argc=2, argv=0x7fffffffe1d8) at main.c:151
>>> (gdb) list
>>> 84 if(!keys->keyentries[i]->fp)
>>> 85 {
>>> 86 int my_error = errno;
>>> 87
>>> 88 /* Just in case we run out of file descriptiors */
>>> 89 if((keys->keyentries[i -1]->fp) && (i > 10))
>>> 90 {
>>> 91 fclose(keys->keyentries[i -1]->fp);
>>> 92
>>> 93 if(keys->keyentries[i -2]->fp)
>>
>>
>> (gdb) bt full
>> #0 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at msgs.c:89
>> my_error = 13
>> i = 0
>> rids_file =
>> "/queue/rids/001\000\000\256\377\377\377\177\000\000\022*\226R\000\000\000\000\340\347\273\367\377\177\000\000\300\325e\000\000\000\000\000\260\256\377\377\377\177\000\000!tB",
>> '\000' <repeats 13 times>, "BLC", '\000' <repeats 13 times>,
>> "\020\000\000\000\060\000\000\000\300\256\377\377\377\177\000\000\000\256\377\377\377\177\000\000\000\000\000\000\000\000\000\000@KC\000\000\000\000\000H\000\000\000\000\000\000\000@\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\005",
>> '\000' <repeats 88 times>"\256,
>> \377\377\377\177\000\000צ\377\377\377\177\000\000"
>> #1 0x0000000000404845 in HandleSecure () at secure.c:85
>> agentid = 0
>> buffer = '\000' <repeats 1928 times>,
>> "\002\030\336\367\377\177", '\000' <repeats 67 times>"\300,
>> \000\000\000\000\000\000\254\260\000\000\000\000\000\000\254\260",
>> '\000' <repeats 14 times>, "\005\000\000\000\000\000\000\000\000\260
>> \000\000\000\000\000\000\320 \000\000\000\000\000\030\303
>> \000\000\000\000\000H\307
>> \000\000\000\000\000\000\260\000\000\000\000\000\000\003", '\000'
>> <repeats 31 times>"\320, \004", '\000' <repeats 14 times>, "P", '\000'
>> <repeats 39 times>,
>> "\003\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|",
>> '\000' <repeats 11 times>,
>> "@\226\273\367\377\177\000\000\031\000\000\000\000\000\000\000\320ie\000\000\000\000\000\020ee\000\000\000\000\000\031",
>> '\000' <repeats 15 times>,
>> "3\366\210\367\377\177\000\000\320ie\000\000\000\000\000\000"...
>> cleartext_msg = '\000' <repeats 5264 times>, "@", '\000'
>> <repeats 35 times>,
>> "\001\000\000\000\002\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|",
>> '\000' <repeats 11 times>,
>> "@\226\273\367\377\177\000\000\200\305\377\377\377\177\000\000PKe\000\000\000\000\000\200\305\377\377\377\177\000\000\220)@\000\000\000\000\000PKe\000\000\000\000\000Ȉ\210\367\377\177\000\000\000\000\000\000\000\000\000\000PKe\000\000\000\000\000\200\305\377\377\377\177\000\000\376\226\210\367\377\177\000\000PKe\000\000\000\000\000WK\210\367\377\177\000\000\000\000\000\000\000\000\000\000\034\370B\000\000\000\000\000\000\000\000\000\003\000\000\000PKe\000\000\000\000\000PKe\000\000\000\000\000\000\000\000\000\377\377\377\377\000\336\377\377\377\177\000\000\205\002C",
>> '\000' <repeats 13 times>,
>> "0\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000P"...
>> srcip = '\000' <repeats 16 times>
>> tmp_msg = 0x6f <Address 0x6f out of bounds>
>> srcmsg = '\000' <repeats 256 times>
>> recv_b = 32767
>> peer_info = {sin_family = 0, sin_port = 0, sin_addr = {s_addr
>> = 0}, sin_zero = "\000\000\000\000\000\000\000"}
>> peer_size = 0
>> #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at remoted.c:102
>> No locals.
>> #3 0x0000000000403234 in main (argc=2, argv=0x7fffffffe1d8) at main.c:151
>> i = 0
>> c = -1
>> uid = 493
>> gid = 494
>> test_config = 0
>> run_foreground = 0
>> cfg = 0x433fe0 "/var/ossec/etc/ossec.conf"
>> dir = 0x433ffa "/var/ossec"
>> user = 0x434005 "ossecr"
>> group = 0x43400c "ossec"
>> (gdb)
>
>
> So we've figured this out, and it can be chalked up a bug in the error
> handling of the code. The owner of /var/ossec/queue/rids was user
> "ossec" and not "ossecr", this was causing the segfault, and instead
> of giving a permission denied error or something to that effect.
>
> a patch will be forth coming
Here's the patch. I don't have a bitbucket account so this will have
to do for now.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
diff -ur ossec-hids-2.7.1.orig/src/os_crypto/shared/msgs.c ossec-hids-2.7.1/src/os_crypto/shared/msgs.c
--- ossec-hids-2.7.1.orig/src/os_crypto/shared/msgs.c 2013-10-29 14:13:44.000000000 -0400
+++ ossec-hids-2.7.1/src/os_crypto/shared/msgs.c 2013-12-02 15:06:18.897247391 -0500
@@ -86,7 +86,7 @@
int my_error = errno;
/* Just in case we run out of file descriptiors */
- if((keys->keyentries[i -1]->fp) && (i > 10))
+ if((i > 10) && (keys->keyentries[i -1]->fp))
{
fclose(keys->keyentries[i -1]->fp);
