[syslog-ng] [Bug 105] New: syslog-ng --no-caps option causes segmentation fault if compiled with caps support in hardened gentoo

15 Dec 2010

      https://bugzilla.balabit.com/show_bug.cgi?id=105

           Summary: syslog-ng --no-caps option causes segmentation fault if
                    compiled with caps support in hardened gentoo
           Product: syslog-ng
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi@balabit.hu
        ReportedBy: dk@i-zet.ru
Type of the Report: bug
   Estimated Hours: 0.0

syslog-ng --no-caps option causes segmentation fault if compiled with caps support on gentoo hardened system

This is from the build log:

syslog-ng Open Source Edition 3.1.2 configured
 Compiler options:
  compiler                    : x86_64-pc-linux-gnu-gcc -std=gnu99
  compiler options            : -O2 -pipe -fforce-addr -mtune=nocona -march=nocona -Wall  -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  
-I/usr/include/eventlog       -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
  linker flags                : -Wl,-O1 -Wl,--as-needed
  prefix                      : /usr
  linking mode                : dynamic
 Features:
  Sun STREAMS support         : no
  Sun Door support            : no
  Debug symbols               : no
  GCC profiling               : no
  Memtrace                    : no
  IPV6 support                : no
  spoof-source support        : no
  tcp-wrapper support         : yes
  SSL support                 : yes
  SQL support                 : no
  Linux capability support    : yes
  PCRE support                : yes
  Env wrapper support         : no
...
...
...
Source configured.
System parameters:

# syslog-ng --version
syslog-ng 3.1.2
Installer-Version: 3.1.2
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca
Compile-Date: Dec 15 2010 21:10:17
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: off
Enable-Spoof-Source: off
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
# 
#
# uname -a
Linux xxxxxx 2.6.32-hardened-r29 #1 SMP Fri Dec 3 14:08:35 MSK 2010 x86_64 Intel(R) Xeon(R) CPU X5450 @ 3.00GHz GenuineIntel GNU/Linux
#
# gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.4.4-r2/work/gcc-4.4.4/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.4.4
--includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4
--mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/info
--with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec
--disable-fixed-point --without-ppl --without-cloog --disable-nls --with-system-zlib --disable-werror --enable-secureplt --enable-multilib --enable-libmudflap
--disable-libssp --enable-esp --enable-libgomp --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/python --enable-checking=release --disable-libgcj
--enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/
--with-pkgversion='Gentoo Hardened 4.4.4-r2 p1.2, pie-0.4.5'
Thread model: posix
gcc version 4.4.4 (Gentoo Hardened 4.4.4-r2 p1.2, pie-0.4.5)
#

glibc - 2.11.2-r3

Example:

$
$ /usr/sbin/syslog-ng -F -v -d --no-caps
Segmentation fault
$
$ strace /usr/sbin/syslog-ng -F -v -d --no-caps
execve("/usr/sbin/syslog-ng", ["/usr/sbin/syslog-ng", "-F", "-v", "-d", "--no-caps"], [/* 33 vars */]) = 0
brk(0)                                  = 0x3cdf13cf10
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0cc000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=51584, ...}) = 0
mmap(NULL, 51584, PROT_READ, MAP_PRIVATE, 3, 0) = 0x3752a0bf000
close(3)                                = 0
open("/usr/lib/libglib-2.0.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320{\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=981792, ...}) = 0
mmap(NULL, 3079320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37529bc2000
mprotect(0x37529cb0000, 2097152, PROT_NONE) = 0
mmap(0x37529eb0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xee000) = 0x37529eb0000
close(3)                                = 0
open("/usr/lib/libevtlog.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\31\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18184, ...}) = 0
mmap(NULL, 2113664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x375299bd000
mprotect(0x375299c1000, 2093056, PROT_NONE) = 0
mmap(0x37529bc0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x37529bc0000
close(3)                                = 0
open("/usr/lib/libssl.so.1.0.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0Pa\1\0\0\0\0\0"..., 832) = 832
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0be000
fstat(3, {st_mode=S_IFREG|0555, st_size=386928, ...}) = 0
mmap(NULL, 2482512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3752975e000
mprotect(0x375297b5000, 2093056, PROT_NONE) = 0
mmap(0x375299b4000, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x56000) = 0x375299b4000
close(3)                                = 0
open("/usr/lib/libcrypto.so.1.0.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@U\6\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0555, st_size=1845904, ...}) = 0
mmap(NULL, 3956384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37529398000
mprotect(0x37529538000, 2093056, PROT_NONE) = 0
mmap(0x37529737000, 147456, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19f000) = 0x37529737000
mmap(0x3752975b000, 11936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3752975b000
close(3)                                = 0
open("/lib/libwrap.so.0", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@1\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=35552, ...}) = 0
mmap(NULL, 2132968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3752918f000
mprotect(0x37529197000, 2093056, PROT_NONE) = 0
mmap(0x37529396000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x37529396000
close(3)                                = 0
open("/lib/libcap.so.2", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\26\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18408, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0bd000
mmap(NULL, 2113856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37528f8a000
mprotect(0x37528f8e000, 2093056, PROT_NONE) = 0
mmap(0x3752918d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x3752918d000
close(3)                                = 0
open("/lib/libpcre.so.0", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\30\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=198368, ...}) = 0
mmap(NULL, 2293824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37528d59000
mprotect(0x37528d89000, 2093056, PROT_NONE) = 0
mmap(0x37528f88000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f000) = 0x37528f88000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0~\354\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1354792, ...}) = 0
mmap(NULL, 3463976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37528a0b000
mprotect(0x37528b4f000, 2097152, PROT_NONE) = 0
mmap(0x37528d4f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x144000) = 0x37528d4f000
mmap(0x37528d54000, 19240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37528d54000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14320, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0bc000
mmap(NULL, 2109600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37528807000
mprotect(0x37528809000, 2097152, PROT_NONE) = 0
mmap(0x37528a09000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37528a09000
close(3)                                = 0
open("/lib/libz.so.1", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p \0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=87936, ...}) = 0
mmap(NULL, 2183312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x375285f1000
mprotect(0x37528606000, 2093056, PROT_NONE) = 0
mmap(0x37528805000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x37528805000
close(3)                                = 0
open("/lib/libattr.so.1", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22360, ...}) = 0
mmap(NULL, 2117664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x375283eb000
mprotect(0x375283ef000, 2097152, PROT_NONE) = 0
mmap(0x375285ef000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x375285ef000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0bb000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0ba000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3752a0b9000
arch_prctl(ARCH_SET_FS, 0x3752a0ba700)  = 0
mprotect(0x375285ef000, 4096, PROT_READ) = 0
mprotect(0x37528805000, 4096, PROT_READ) = 0
mprotect(0x37528a09000, 4096, PROT_READ) = 0
mprotect(0x37528d4f000, 16384, PROT_READ) = 0
mprotect(0x37528f88000, 4096, PROT_READ) = 0
mprotect(0x3752918d000, 4096, PROT_READ) = 0
mprotect(0x37529396000, 4096, PROT_READ) = 0
mprotect(0x37529737000, 106496, PROT_READ) = 0
mprotect(0x375299b4000, 16384, PROT_READ) = 0
mprotect(0x37529bc0000, 4096, PROT_READ) = 0
mprotect(0x37529eb0000, 4096, PROT_READ) = 0
mprotect(0x3cdf136000, 8192, PROT_READ) = 0
mprotect(0x3752a0ce000, 4096, PROT_READ) = 0
munmap(0x3752a0bf000, 51584)            = 0
brk(0)                                  = 0x3cdf13cf10
brk(0x3cdf15df10)                       = 0x3cdf15df10
brk(0x3cdf15e000)                       = 0x3cdf15e000
setrlimit(RLIMIT_NOFILE, {rlim_cur=4*1024, rlim_max=4*1024}) = 0
setsid()                                = 13612
prctl(PR_SET_KEEPCAPS, 1)               = 0
capget(0x20080522, 0, NULL)             = -1 EFAULT (Bad address)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
$

It is quite possible, that it is hardened gentoo specific bug. I could not reproduce it on non-hardened system.

-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

[syslog-ng] [Bug 105] New: syslog-ng --no-caps option causes segmentation fault if compiled with caps support in hardened gentoo

bugzilla＠bugzilla.balabit.com