segfault when ls /a/b/c/*

Question

segfault when ls /a/b/c/*

uiteindelijkwordtallesbagger opened this issue a year ago · 2 comments

uiteindelijkwordtallesbagger commented a year ago

Checklist before starting to submit this bug report

I confirm that:

I am submitting a bug report! :)
I have tested this with the latest stable Snoopy version (or the latest master build).
I have checked the FAQ.
[ x] I have read Snoopy's documentation here and here.
[x ] I have searched Snoopy issues for an existing issue that matches my problem, and found none.

Bug description

I get an segmentation fault when running ls /usr/lib/x86_64-linux-gnu/gconv/* or cp /usr/lib/x86_64-linux-gnu/gconv/* mynewdir
gdb shows it is caused by snoopy. However adding a -v flag does not throw a segfault.

Bug reproduction steps

ls /usr/lib/x86_64-linux-gnu/gconv/*

Expected result

list of files.

Actual result

Segmentation fault

extra information

sudo apt show snoopy
Package: snoopy
Version: 2.4.12-1
Priority: optional
Section: admin
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Installed-Size: 124 kB
Depends: libc6 (>= 2.7), debconf (>= 0.5) | debconf-2.0
Homepage: https://github.com/a2o/snoopy/
Tag: admin::logging, interface::commandline, role::program, scope::utility,
 works-with::logfile, works-with::software:running
Download-Size: 46.0 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.nl.debian.org/debian bullseye/main amd64 Packages
Description: execve() wrapper and logger
 snoopy is merely a shared library that is used as a wrapper
 to the execve() function provided by libc as to log every call
 to syslog (authpriv).  system administrators may find snoopy
 useful in tasks such as light/heavy system monitoring, tracking other
 administrator's actions as well as getting a good 'feel' of
 what's going on in the system (for example Apache running cgi
 scripts).
 .
 This type of monitoring can be bypassed by hostile users, and should
 not be considered a secure replacement for tools like auditd.

uname -a
Linux hostname 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux

root@hostname:~# gdb /bin/bash 
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /bin/bash...
(No debugging symbols found in /bin/bash)
(gdb) set args -c 'ls /usr/lib/x86_64-linux-gnu/gconv/*'
(gdb) run
Starting program: /usr/bin/bash -c 'ls /usr/lib/x86_64-linux-gnu/gconv/*'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e2b357 in unlink_chunk (p=p@entry=0x5555556a1680, av=0x7ffff7f77b80 <main_arena>) at malloc.c:1459
1459	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7e2b357 in unlink_chunk (p=p@entry=0x5555556a1680, av=0x7ffff7f77b80 <main_arena>) at malloc.c:1459
#1  0x00007ffff7e2bbbb in _int_free (av=0x7ffff7f77b80 <main_arena>, p=0x5555556a0e70, have_lock=<optimized out>) at malloc.c:4342
#2  0x00007ffff7fc118a in snoopy_datasource_cmdline () from /lib/snoopy.so
#3  0x00007ffff7fc005a in snoopy_message_generateFromFormat () from /lib/snoopy.so
#4  0x00007ffff7fbfe48 in snoopy_log_syscall_exec () from /lib/snoopy.so
#5  0x00007ffff7fc3606 in execve () from /lib/snoopy.so
#6  0x000055555559abb2 in shell_execve ()
#7  0x000055555559b53c in ?? ()
#8  0x000055555559e5ff in execute_command_internal ()
#9  0x00005555555f11c9 in parse_and_execute ()
#10 0x00005555555850fa in ?? ()
#11 0x0000555555583950 in main ()
(gdb) l
1454	in malloc.c

last 25 lines of strace
readlink("/proc/self/fd/0", "/dev/pts/0", 4095) = 10
stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0), ...}) = 0
stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0), ...}) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3554, ...}) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3554
close(3)                                = 0
getuid()                                = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3554, ...}) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3554
close(3)                                = 0
getuid()                                = 0
geteuid()                               = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3554, ...}) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3554
close(3)                                = 0
geteuid()                               = 0
getcwd("/root", 4097)                   = 6
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7f00f27d2bf0} ---
+++ killed by SIGSEGV +++

Answer 1 · 2023-07-15T21:10:21.000Z

Hey @uiteindelijkwordtallesbagger!

Situation summary in short:

Snoopy version 2.4.12 is "ancient".
From my side, only the latest Snoopy version is supported.
The package you're using has been created by someone else (in case you want to ask them for support, but it's probably a waste of everyone's time).

Best next steps:

Test this with the latest version of Snoopy (currently 2.5.1). I think you're hitting a bug that has been fixed in version 2.4.14 (changelog here: https://github.com/a2o/snoopy/blob/master/ChangeLog)
To simplify this process, and if I am reading your uname output correctly (you have Debian Bullseye x64), you can use one of the Debian packages I started providing since 2.5.0 (info here: https://github.com/a2o/snoopy/blob/master/doc/install-from-repo.md).
Report back the results.

Cheers.

Answer 2 · 2023-07-26T09:06:18.000Z

Thanks,

I ran the command that gave the segmentation fault. With the version that is in the default debian repo.
I updated the repo and upgraded snoopy.
Ran the same command again: No segmentation Fault!

So everything is working again.

apt show snoopy

Package: snoopy
Version: 2.5.1-1~bullseye
Priority: optional
Section: admin
Maintainer: Bostjan Skufca Jese <bostjan@skufca.si>
Installed-Size: 134 kB
Depends: libc6 (>= 2.14), debconf (>= 0.5) | debconf-2.0
Conflicts: libsnoopy
Replaces: libsnoopy
Homepage: https://github.com/a2o/snoopy
Download-Size: 44.0 kB
APT-Manual-Installed: yes
APT-Sources: https://a2o.github.io/snoopy-packages/repo/debian bullseye/stable amd64 Packages
Description: Snoopy Command Logger is a wrapper around execve() that captures all executed commands by all users and all processes and sends the data to syslog.
 Snoopy Command Logger is a shared library that interposes itself
 between dynamic executables and libc's execve() function.
 Once loaded, programs' calls to execve() are intercepted and logged.
 System administrators may find Snoopy Command Logger useful in tasks
 such as system diagnostics, tracking other administrators' actions
 as well as getting a good 'feel' of what's going on on their system
 (i.e. what CGI scripts are being launched by Apache).