Bug 234209 - regression: audit_warn(5) loops indefinitely if script /etc/security/audit_warn takes longer than 0.87s to execute
Summary: regression: audit_warn(5) loops indefinitely if script /etc/security/audit_wa...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Conrad Meyer
URL: https://github.com/openbsm/openbsm/is...
Keywords: regression
Depends on:
Blocks:
 
Reported: 2018-12-20 13:35 UTC by Marie Helene Kvello-Aune
Modified: 2019-11-28 00:47 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marie Helene Kvello-Aune 2018-12-20 13:35:35 UTC
We've run into a problem where the audit_warn(5) script /etc/security/audit_warn is called endlessly in a loop if it takes longer than 0.87s to execute.

Reproduction steps:
echo "sleep 1" >> /etc/security/audit_warn
and restart/hup the appropriate services.
Comment 1 Marie Helene Kvello-Aune 2019-04-24 13:27:26 UTC
For information: This bug still exists with 12.0-RELEASE-p3 and 13-CURRENT r346594.

Complete reproduction example: (this will overwrite /etc/security/audit_warn)
at << EOF >/etc/security/audit_warn                                                                                                                      #!/bin/sh                                                                                                                                                   echo "audit warning: $@" | wall                                                                                                                             sleep 1                                                                                                                                                     EOF 

# audit -n

expected behaviour: For the script to be executed once
actual behaviour: script is repeatedly executed, seemingly forever.
Remove "sleep 1" from the above script and it's called exactly one.

Real-world case: actions performed by this script take more than 1s to do their thing, and end up being called repeatedly for the same message.
Comment 2 Marie Helene Kvello-Aune 2019-05-09 13:05:27 UTC
I've found the commit which introduced the bug, and created a ticket with OpenBSM upstream: https://github.com/openbsm/openbsm/issues/52
Comment 3 Conrad Meyer freebsd_committer 2019-05-09 16:17:17 UTC
I have proposed a solution on upstream Github, so I might as well take the FreeBSD PR.
Comment 4 Conrad Meyer freebsd_committer 2019-10-13 17:41:00 UTC
Fixed upstream in https://github.com/openbsm/openbsm/pull/45 by Alan. I don’t know if we’ve imported that version of OpenBSM into base yet.
Comment 5 Conrad Meyer freebsd_committer 2019-11-28 00:46:44 UTC
Better Nate than Lever.
Comment 6 commit-hook freebsd_committer 2019-11-28 00:47:06 UTC
A commit references this bug:

Author: cem
Date: Thu Nov 28 00:46:03 UTC 2019
New revision: 355155
URL: https://svnweb.freebsd.org/changeset/base/355155

Log:
  auditd(8): fix long-standing uninitialized memory use bug

  The bogus use could lead to an infinite loop depending on how fast the
  audit_warn script to execute.

  By fixing read(2) interruptibility, d060887 (r335899) revealed another bug
  in auditd_wait_for_events.  When read is interrupted by SIGCHLD,
  auditd_reap_children will always return with errno set to ECHILD.  But
  auditd_wait_for_events checks errno after that point, expecting it to be
  unchanged since read.  As a result, it calls auditd_handle_trigger with bogus
  stack garbage.  The result is the error message "Got unknown trigger 48."  Fix
  by simply ignoring errno at that point; there's only one value it could've
  possibly had, thanks to the check up above.

  The best part is we've had a fix for this for like 18 months and just never
  merged it.  Merge it now.

  PR:		234209
  Reported by:	Marie Helene Kvello-Aune <freebsd AT mhka.no> (2018-12)
  Submitted by:	asomers (2018-07)
  Reviewed by:	me (in OpenBSM)
  Obtained from:	OpenBSM
  X-MFC-With:	r335899
  Security:	?\_(?)_/?
  Differential Revision:	https://github.com/openbsm/openbsm/pull/45

Changes:
  head/contrib/openbsm/bin/auditd/auditd_fbsd.c