Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-9803

Binaries forked by rsyslog's omprog option crash when calling mprotect with PROT_EXEC

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • CentOS Stream 9
    • rsyslog
    • None
    • Normal
    • sst_security_special_projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Unspecified
    • None

      What were you trying to do that didn't work?

      I was trying to run rsyslog with the omprog option set to a cpp binary. The cpp binary crash-loops.

      Please provide the package NVR for which bug is seen:

      Since rsyslog-8.2102.0-115.el9 or rsyslog-8.2102.0-114.el9. (8.2102.0-113 was the last working version, but we only pulled 8.2102.0-115 internally)

      How reproducible:

      Quite easy

      Steps to reproduce

      1. Compile a binary that calls mprotect PROT_READ | PROT_WRITE | PROT_EXEC
      2. Add the following to /etc/rsyslog.conf
      *.* {
  action(type="omprog"
    name="Program_Logging"
    binary="<binary name>"
    action.reportSuspension="off"
    action.reportSuspensionContinuation="off"
    template="RSYSLOG_TraditionalFileFormat"
  )
}
      1. Run systemctl restart rsyslog

      Expected results

      The binary specified in the omprog option should run properly.

      Actual results

      The binary specified in the omprog option crash-loops. strace shows it fails with EPERM:

      "mprotect(0x406000, 4096, PROT_EXEC) = -1 EPERM (Operation not permitted)"

            rh-ee-alakatos Attila Lakatos
            ddwsd Shaodian Wang (Inactive)
            Attila Lakatos Attila Lakatos
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: