[PATCH] auparse: add a check to au->source_list to ensure it not null

车烈权 liequan.che at i-soft.com.cn
Wed May 8 10:53:15 UTC 2013 

Hi all:

I found a bug the process auvrt generate a coredump when there is no file
named audit.log, In the case the /var/log/audit/audit.log removed by
someone.

I make a patch to solve this problem.

Index: auparse/auparse.c

===================================================================

--- auparse/auparse.c   (版本 814)

+++ auparse/auparse.c   (工作副本)

@@ -806,7 +806,7 @@

                case AUSOURCE_FILE:

                case AUSOURCE_FILE_ARRAY:

                        // if the first time through, open file

-                       if (au->list_idx == 0 && au->in == NULL) {

+                       if (au->list_idx == 0 && au->in == NULL &&
au->source_list != NULL) {

                                if (au->source_list[au->list_idx] == NULL) {

                                        errno = 0;

                                        return -2;

 

 

 

 

 

 

[clq at localhost trunk]# auvirt

Unable to open /var/log/audit/audit.log (No such file or directory)

No log file

Segmentation fault (core dumped)

 

The backtrace is as follows:

Loaded symbols for /lib64/ld-linux-x86-64.so.2

Core was generated by `./tools/auvirt/.libs/lt-auvirt'.

Program terminated with signal 11, Segmentation fault.

#0  0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810

810                                     if (au->source_list[au->list_idx] ==
NULL) {

Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.107.el6.x86_64

(gdb) bt

#0  0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810

#1  auparse_next_event (au=0x682830) at auparse.c:958

#2  0x00007fb2cc547c52 in auparse_first_record (au=<value optimized out>) at
auparse.c:1131

#3  0x00007fb2cc547d77 in ausearch_next_event (au=0x682830) at auparse.c:923

#4  0x00000000004043b8 in main (argc=<value optimized out>, argv=<value
optimized out>) at auvirt.c:1542

(gdb) f 0

#0  0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810

810                                     if (au->source_list[au->list_idx] ==
NULL) {

(gdb) p *au

$1 = {source = AUSOURCE_LOGS, source_list = 0x0, list_idx = 0, in = 0x0,
line_number = 0, next_buf = 0x0, off = 0, cur_buf = 0x0, 

  line_pushed = 0, le = {head = 0x0, cur = 0x0, cnt = 0, e = {sec = 0, milli
= 0, serial = 0, host = 0x0}}, expr = 0x680c90, 

  find_field = 0x0, search_where = AUSEARCH_STOP_EVENT, parse_state =
EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0, 

    alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0,
callback_user_data = 0x0, callback_user_data_destroy = 0}

(gdb) p au->source_list

$2 = (char **) 0x0

(gdb)

 

 

Best Regards!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130508/c2374c09/attachment.htm>

More information about the Linux-audit mailing list