Statically linked aide segmentation faults when parsing file acls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aide (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Won't Fix
|
Medium
|
Matthew Ruffell |
Bug Description
[Impact]
The statically linked version of aide will segmentation fault when it attempts to parse acl data attached to files.
Users will see messages in dmesg similar to:
[ 4101.939249] aide[71672]: segfault at 0 ip 00007f3a132f420b sp 00007fffd6355e28 error 4 in libc-2.
[ 4101.939257] Code: 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 8b 05 65 ec 0c 00 48 83 ff 10 74 47 48 83 ff 1a 74 49 48 8b 40 60 <48> 8b 10 48 85 d2 75 12 eb 1b 0f 1f 00 48 8b 50 10 48 83 c0 10 48
or on Jammy / Noble (if they build a custom statically linked binary)
[ 2427.555747] aide[36174]: segfault at 1c ip 00007fc5552db6a4 sp 00007fffe963f1e0 error 4 in libnss_
[ 2427.555754] Code: 84 00 00 00 00 00 85 c0 74 05 8d 68 ff eb d1 b8 b5 ff ff ff eb df f3 0f 1e fa 48 83 ec 08 48 8d 3d 19 49 04 00 e8 dc f5 ff ff <8b> 80 1c 00 00 00 85 c0 0f 95 c0 48 83 c4 08 c3 66 66 2e 0f 1f 84
On Noble, the gdb call stack is:
Thread 3 "aide" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff77a76c0 (LWP 27840)]
0x00007ffff5f4bad5 in _nss_systemd_
(gdb) bt
#0 0x00007ffff5f4bad5 in _nss_systemd_
#1 0x00007ffff5f4de58 in _nss_systemd_
#2 0x00000000004fce51 in getpwuid_r ()
#3 0x00000000004fc937 in getpwuid ()
#4 0x00000000004a8ab0 in __acl_to_any_text ()
#5 0x0000000000418dfa in acl2line (line=line@
#6 0x000000000041bd09 in get_file_attrs (filename=0x83d930 "/var/log/
at ../src/
#7 0x000000000041406b in file_attrs_worker (arg=<optimized out>) at ../src/
#8 0x00000000004ccaf2 in start_thread ()
#9 0x00000000005087dc in clone3 ()
on Focal it is similar, but uses glibc instead of libnss_systemd.so.2 for
getpwuid_r().
Now, getpwuid_r() does a dlopen to load libnss_
Now _nss_systemd_
https:/
static thread_local unsigned _blocked = 0;
_public_ bool _nss_systemd_
return _blocked > 0;
}
As we know, Thread Local Storage is allocated at compile time for statically linked binaries. But since the linker had no knowledge that libnss_systemd.so.2 would be loaded at runtime through dlopen, there is no TLS allocated for _blocked. Since the binary is statically linked, there is no allocation for _blocked, and thus, we segmentation fault trying to access it.
There is no fixing this issue unfortunately. All users are suggested to remove aide, and install aide-dynamic instead.
[Testcase]
Start a Focal VM.
1) sudo apt install aide acl
2) sudo cp /var/log/kern.log /var/log/
3) sudo setfacl -m u:12345:r /var/log/
4) cat >> aide-custom.conf << EOF
# Configuration Options
database=
database_
gzip_dbout = yes
Checksums = sha256+
database_attrs = Checksums
# Define Rules
PERMS = p+i+u+g+
LOG = >
LOG_PLUS = LOG+ANF+ARF
# Define Include Paths
/var/log/ LOG_PLUS
EOF
5) sudo ./aide -i -c aide-custom.conf
Segmentation fault
If you install aide-dynamic instead, it works fine.
$ sudo apt remove aide
$ sudo apt install aide-dynamic
[Where problems could occur]
Users should see no difference moving from aide to aide-dynamic.
aide-dynamic is default from Jammy onward.
There is no real security difference moving to aide-dynamic.
The scary message presented by the focal message can be safely ignored, it is not exactly accurate in the first place.
> This package contains a dynamically linked binary and should only be
> used in exceptional circumstances. To avoid exposure to trojaned
> libraries, it is advised to use one of the statically linked binaries.
[Other info]
Upstream was changed to use dynamic linking by default in:
https:/
Upstream bug:
https:/
Upstream bug (same issue):
https:/
Maintainer comment:
https:/
https://<email address hidden>
Upstream Systemd commentary:
https:/
https:/
summary: |
- ubuntu 20.04 LTS - aide crashes on initialization + Statically linked aide segmentation faults when parsing file acls |
Changed in aide (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in aide (Ubuntu Focal): | |
importance: | Undecided → Medium |
assignee: | nobody → Matthew Ruffell (mruffell) |
status: | New → Won't Fix |
description: | updated |
tags: | added: sts |
Status changed to 'Confirmed' because the bug affects multiple users.