Debian Bug report logs -
#351312
Segmentation fault when sent the HUP signal
Reported by: "Edward J. Shornock" <ed@crazeecanuck.homelinux.net>
Date: Sat, 4 Feb 2006 00:18:04 UTC
Severity: grave
Tags: security, sid
Found in version syslog-ng/1.9.8.1+20060128-1
Fixed in version syslog-ng/1.9.9-1
Done: SZALAY Attila <sasa@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#351312; Package syslog-ng.
(full text, mbox, link).
Acknowledgement sent to "Edward J. Shornock" <ed@crazeecanuck.homelinux.net>:
New Bug report received and forwarded. Copy sent to SZALAY Attila <sasa@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: syslog-ng
Version: 1.9.8.1+20060128-1
Severity: critical
For the last few weeks I've had a problem with SQLGrey aborting and mail
being rejected. The problem each time was that syslog-ng was no longer
running and SQLgrey wasn't handling the missing syslog daemon more
gracefully. Syslog-ng would segfault during logrotate's run.
Stracing the syslog-ng process while running logrotate yielded the
following:
*** /tmp/syslog-ng.strace
--- SIGHUP (Hangup) @ 0 (0) ---
sigreturn() = ? (mask now [])
gettimeofday({1139010317, 110357}, NULL) = 0
time([1139010317]) = 1139010317
gettimeofday({1139010317, 110529}, NULL) = 0
time(NULL) = 1139010317
time(NULL) = 1139010317
open("/etc/syslog-ng/syslog-ng.conf", O_RDONLY) = 24
ioctl(24, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeea498) = -1 ENOTTY (Inappropriate ioctl for device)
fstat64(24, {st_mode=S_IFREG|0644, st_size=9537, ...}) = 0
mmap2(NULL, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e51000
read(24, "#\n# Configuration file for syslo"..., 131072) = 9537
open("/etc/group", O_RDONLY) = 31
fcntl64(31, F_GETFD) = 0
fcntl64(31, F_SETFD, FD_CLOEXEC) = 0
_llseek(31, 0, [0], SEEK_CUR) = 0
fstat64(31, {st_mode=S_IFREG|0644, st_size=1717, ...}) = 0
mmap2(NULL, 1717, PROT_READ, MAP_SHARED, 31, 0) = 0xb7fd5000
_llseek(31, 1717, [1717], SEEK_SET) = 0
munmap(0xb7fd5000, 1717) = 0
close(31) = 0
open("/etc/passwd", O_RDONLY) = 31
fcntl64(31, F_GETFD) = 0
fcntl64(31, F_SETFD, FD_CLOEXEC) = 0
_llseek(31, 0, [0], SEEK_CUR) = 0
fstat64(31, {st_mode=S_IFREG|0644, st_size=3537, ...}) = 0
mmap2(NULL, 3537, PROT_READ, MAP_SHARED, 31, 0) = 0xb7fd5000
_llseek(31, 3537, [3537], SEEK_SET) = 0
munmap(0xb7fd5000, 3537) = 0
close(31) = 0
open("/etc/passwd", O_RDONLY) = 31
fcntl64(31, F_GETFD) = 0
fcntl64(31, F_SETFD, FD_CLOEXEC) = 0
_llseek(31, 0, [0], SEEK_CUR) = 0
fstat64(31, {st_mode=S_IFREG|0644, st_size=3537, ...}) = 0
mmap2(NULL, 3537, PROT_READ, MAP_SHARED, 31, 0) = 0xb7fd5000
_llseek(31, 3537, [3537], SEEK_SET) = 0
munmap(0xb7fd5000, 3537) = 0
close(31) = 0
open("/etc/passwd", O_RDONLY) = 31
fcntl64(31, F_GETFD) = 0
fcntl64(31, F_SETFD, FD_CLOEXEC) = 0
_llseek(31, 0, [0], SEEK_CUR) = 0
fstat64(31, {st_mode=S_IFREG|0644, st_size=3537, ...}) = 0
mmap2(NULL, 3537, PROT_READ, MAP_SHARED, 31, 0) = 0xb7fd5000
_llseek(31, 3537, [3537], SEEK_SET) = 0
munmap(0xb7fd5000, 3537) = 0
close(31) = 0
read(24, "", 131072) = 0
read(24, "", 131072) = 0
ioctl(24, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfee9f38) = -1 ENOTTY (Inappropriate ioctl for device)
close(24) = 0
munmap(0xb7e51000, 131072) = 0
close(3) = 0
close(4) = 0
close(30) = 0
close(11) = 0
close(8) = 0
close(9) = 0
close(7) = 0
close(15) = 0
close(12) = 0
close(19) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
stat64("/dev/log", {st_mode=S_IFSOCK|0666, st_size=0, ...}) = 0
unlink("/dev/log") = 0
bind(3, {sa_family=AF_FILE, path="/dev/log"}, 11) = 0
listen(3, 255) = 0
chmod("/dev/log", 0666) = 0
open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 4
socket(PF_FILE, SOCK_STREAM, 0) = 7
fcntl64(7, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0
stat64("/dev/log", {st_mode=S_IFSOCK|0666, st_size=0, ...}) = 0
unlink("/dev/log") = 0
bind(7, {sa_family=AF_FILE, path="/dev/log"}, 11) = 0
listen(7, 255) = 0
chmod("/dev/log", 0666) = 0
open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 8
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
kill(13168, SIGSEGV) = 0
sigreturn() = ? (mask now [])
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
Severity of the report set as critical since in my opinion the lack of a
logging daemon can be a security problem.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (650, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-ck3-1-p4
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages syslog-ng depends on:
ii libc6 2.3.5-12.1 GNU C Library: Shared libraries an
ii util-linux 2.12r-6 Miscellaneous system utilities
Versions of packages syslog-ng recommends:
ii logrotate 3.7.1-2 Log rotation utility
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#351312; Package syslog-ng.
(full text, mbox, link).
Acknowledgement sent to "Edward J. Shornock" <ed@crazeecanuck.homelinux.net>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>.
(full text, mbox, link).
Message #10 received at 351312@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Running ltrace on the syslog-ng process at the time of the segfault
showed:
free(0x80b2cd8) = <void>
free(0x80eb798) = <void>
free(0x815e358) = <void>
free(0x80d40f8) = <void>
free(0x809d8f8) = <void>
free(0x80b2d00) = <void>
free(0x80b5ab8) = <void>
free(0x80eaf80) = <void>
free(0x80ac8b8) = <void>
--- SIGSEGV (Segmentation fault) ---
getpid() = 31536
kill(31536, 11) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
I've been able to successfully get syslog-ng to segfault by running
/etc/init.d/syslog-ng reload, but it does not segfault *every time*. I
guess I've been unlucky enough for the logrotate script to pick the
"right time" to crash syslog-ng. :/
Please see the attached file for the more of the ltrace output, if it'd
be useful in tracking down/squashing this bug.
If any more information from me would be useful, please let me know.
[syslog-ng.ltrace-output (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Severity set to `grave'.
Request was from Edward J. Shornock <ed@crazeecanuck.homelinux.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sid
Request was from Edward J. Shornock <ed@crazeecanuck.homelinux.net>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Edward J. Shornock <ed@crazeecanuck.homelinux.net>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `grave'.
Request was from Edward J. Shornock <ed@crazeecanuck.homelinux.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: security
Request was from Edward J. Shornock <ed@crazeecanuck.homelinux.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#351312; Package syslog-ng.
(full text, mbox, link).
Acknowledgement sent to Balazs Scheidler <bazsi@balabit.hu>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>.
(full text, mbox, link).
Message #25 received at 351312@bugs.debian.org (full text, mbox, reply):
It seems that the crash is caused by some kind of heap corruption. The
backtrace and the ltrace file is no real use as the damage was done
somewhat earlier.
The best way to track this down is to make it reproducible on my
machine, but for that I probably need your configuration file. Running
syslog-ng with unlimited core file limit (ulimit -c unlimited) and
mailing me the core file and all the binaries (syslog-ng and everything
it depends on) could also help.
I'm currently running syslog-ng under valgrind with 4 sources (file,
udp, tcp, kernel log), HUPing it every second while also sending some
messages. It did not crash so far and the messages of valgrind do not
indicate anything serious. So, I'm unable to do anything else right now.
--
Bazsi
Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#351312; Package syslog-ng.
(full text, mbox, link).
Acknowledgement sent to Balazs Scheidler <bazsi@balabit.hu>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>.
(full text, mbox, link).
Message #30 received at 351312@bugs.debian.org (full text, mbox, reply):
Hi,
It seems that I was finally able to reproduce the problem and fixed it
in my tla archive. The patch is a little bit large so I'm not posting it
here, however the daily snapshot (due at midnight in CET, e.g. about 6
hours from now) should contain the fix.
I'll probably create a new release in the next couple of days.
--
Bazsi
Reply sent to SZALAY Attila <sasa@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Edward J. Shornock" <ed@crazeecanuck.homelinux.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 351312-close@bugs.debian.org (full text, mbox, reply):
Source: syslog-ng
Source-Version: 1.9.9-1
We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive:
syslog-ng_1.9.9-1.diff.gz
to pool/main/s/syslog-ng/syslog-ng_1.9.9-1.diff.gz
syslog-ng_1.9.9-1.dsc
to pool/main/s/syslog-ng/syslog-ng_1.9.9-1.dsc
syslog-ng_1.9.9-1_i386.deb
to pool/main/s/syslog-ng/syslog-ng_1.9.9-1_i386.deb
syslog-ng_1.9.9.orig.tar.gz
to pool/main/s/syslog-ng/syslog-ng_1.9.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 351312@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
SZALAY Attila <sasa@debian.org> (supplier of updated syslog-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 28 Feb 2006 22:34:33 +0100
Source: syslog-ng
Binary: syslog-ng
Architecture: source i386
Version: 1.9.9-1
Distribution: unstable
Urgency: low
Maintainer: SZALAY Attila <sasa@debian.org>
Changed-By: SZALAY Attila <sasa@debian.org>
Description:
syslog-ng - Next generation logging daemon
Closes: 349571 351312
Changes:
syslog-ng (1.9.9-1) unstable; urgency=low
.
* New upstream version.
- Added missing macro definitions. (Closes: #349571)
- Fixed Source reference counting. (Closes: #351312)
Files:
70d79d923d6687ba7d575a20533abf62 612 admin extra syslog-ng_1.9.9-1.dsc
5508830b3302a7abf8f77f8d76769e0d 300086 admin extra syslog-ng_1.9.9.orig.tar.gz
bbeea5fe5aca0104fbcf1624df760e7d 7666 admin extra syslog-ng_1.9.9-1.diff.gz
9361fb2e5a6f3adc2aa8761d5a8e5e8d 158384 admin extra syslog-ng_1.9.9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEBMkY23Gu/Kug6LIRAu1YAJ9nX+Ky+3MUbnifoTXWhwNZ7N0rhQCfenBB
3FYaSwwpzwDtUuOBgwyV/KE=
=A4NZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 15:08:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jan 14 01:11:47 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.