Rotate log time issue - bro seg fault

Zeek
1

Hi,

We have installed bro 1.3.2(expect the edge ;]) on Ubuntu 7.04 without much hassles, and we are currently practicing on writing the bro script, but during the loading of brolite policy script, the bro crashed with segmentation fault. It goes in this way -

gdb bro
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “i486-linux-gnu”…
Using host libthread_db library “/lib/tls/i686/cmov/libthread_db.so.1”.

(gdb) run -r …/fl0p-skype-sig.pcap brolite
Starting program: /usr/local/bin/bro -r …/fl0p-skype-sig.pcap brolite

Program received signal SIGSEGV, Segmentation fault.
0x086a67d7 in ?? ()
(gdb) backtrace
#0 0x086a67d7 in ?? ()
#1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at File.cc:562
#2 0x080de5f8 in BroFile::Open (this=0x8990480, file=0x891c218) at File.cc:192
#3 0x080df663 in BroFile::Rotate (this=0x8990480) at File.cc:528
#4 0x080f8314 in bro_rotate_file (frame=0x88b1598, BiF_ARGS=0x8a5b5c8) at bro.bif:2393
#5 0x080e8a4d in BuiltinFunc::Call (this=0x8362020, args=0x8a5b5c8, parent=0x88b1598) at Func.cc:467
#6 0x080da56c in CallExpr::Eval (this=0x8a2b3f0, f=0x88b1598) at Expr.cc:4501
#7 0x080c4a5f in AssignExpr::Eval (this=0x8a2b200, f=0x88b1598) at Expr.cc:2562
#8 0x08179cdc in ExprStmt::Exec (this=0x8a2b590, f=0x88b1598, flow=@0xbff49924) at Stmt.cc:395
#9 0x081756c9 in StmtList::Exec (this=0x8a2b020, f=0x88b1598, flow=@0xbff49924) at Stmt.cc:1391
#10 0x080e8e24 in BroFunc::Call (this=0x8a2bc58, args=0x8a5c258, parent=0x88aca08) at Func.cc:324
#11 0x080da56c in CallExpr::Eval (this=0x8a2f820, f=0x88aca08) at Expr.cc:4501
#12 0x08179cdc in ExprStmt::Exec (this=0x8a2f880, f=0x88aca08, flow=@0xbff49a74) at Stmt.cc:395
#13 0x081756c9 in StmtList::Exec (this=0x8a2f118, f=0x88aca08, flow=@0xbff49a74) at Stmt.cc:1391
#14 0x080e8e24 in BroFunc::Call (this=0x8a2f8e0, args=0x828d698, parent=0x0) at Func.cc:324
#15 0x080a8cf6 in EventHandler::Call (this=0x8a2f9b0, vl=0x828d698, no_remote=true) at EventHandler.cc:64
#16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59
#17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017

(gdb) frame 1
#2 0x080de4a7 in BroFile::InstallRotateTimer (this=0x837c5f8) at File.cc:562
562 timer_mgr->Add(rotate_timer);
(gdb) frame 2
#3 0x080de5f8 in BroFile::Open (this=0x837c5f8, file=0x837c720) at File.cc:192
192 InstallRotateTimer();
(gdb) frame 3
#4 0x080df663 in BroFile::Rotate (this=0x837c5f8) at File.cc:528
528 Open(newf);
(gdb) frame 4
#5 0x080f8314 in bro_rotate_file (frame=0x84e79e0, BiF_ARGS=0x84e5f10) at bro.bif:2393
2393 RecordVal* info = f->Rotate();

This lead us to believe something wrong with the log rotation(time issue), therefore we tried running bro with this

bro -r fl0p-skype-sig.pcap tcp rotate-logs

Immediately it crashes, and if we disable the log rotation in brolite, everything goes fine. Looking at our pcap file metadata -

capinfos fl0p-skype-sig.pcapFile
name: fl0p-skype-sig.pcap
File type: Wireshark/tcpdump/… - libpcap
Number of packets: 368874
File size: 75144608 bytes
Data size: 69242600 bytes
Capture duration: 3892.835282 seconds
Start time: Sun Sep 9 10:02:58 2007
End time: Sun Sep 9 11:07:51 2007
Data rate: 17787.19 bytes/s
Data rate: 142297.52 bits/s
Average packet size: 187.71 bytes

So this pcap timeline span is around 1 hour, we tune the interval of the log rotation and it may crash in different points and that seems to be the time issue.

Btw, we don’t have such issue when using bro-1.2 on MacOSX, Gentoo and bro-1.3.2 on FreeBSD 6.2.

Thanks.

2

Hi Scott,

Here’s the last part of result in trace

1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:102 event called: rotate_interval(f = ‘file “weird.log” of string’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99 Builtin Function called: bro_is_terminating()
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:99 Function return: T
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:71 function called: RotateLogs::rotate(f = ‘file “weird.log” of s
tring’)
1189307168.792985 /usr/local/stow/bro-1.3.2 /policy/rotate-logs.bro:66 Builtin Function called: rotate_file(f = ‘file “weird.
log” of string’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:66 Function return: [old_name= weird.log, new_name=weird.l
og.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 function called: RotateLogs::run_pp(info = ‘[old_name=
weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 function called: RotateLogs::build_name(info =
‘[old_name=weird.log, new_name=weird.log.27507.1189307168.792985.tmp, open=1190089477.64701, close=1189307168.79298]’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Builtin Function called: strftime(fmt
= ‘%y-%m-%d_%H.%M.%S’, d = ‘1190089477.64701’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return: 07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Builtin Function called: fmt(va_args =
‘%s-%s’, vararg0 = ‘weird.log’, vararg1 = ‘07-09-18_12.24.37’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return: weird.log-07-09-18_12
.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:41 Function return: weird.log-07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Builtin Function called: fmt(va_args = ‘/bin/m
v %s %s’, vararg0 = 'weird.log.27507.1189307168.792985.tmp ', vararg1 = ‘weird.log-07-09-18_12.24.37’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Function return: /bin/mv weird.log.27507.11893
07168.792985.tmp weird.log-07-09-18_12.24.37
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Builtin Function called: system(str = ‘/bin/mv
weird.log.27507.1189307168.792985.tmp weird.log-07-09-18_12.24.37’)
1189307168.792985 /usr/local/stow/bro-1.3.2/policy/rotate-logs.bro:60 Function return: 0

3

#1 0x080de4a7 in BroFile::InstallRotateTimer (this=0x8990480) at File.cc:562
....
#16 0x080dfaf3 in BroFile::CloseCachedFiles () at Event.h:59
#17 0x080501aa in main (argc=553648128, argv=0xbff49eb4) at main.cc:1017

Try the appended and see if it does the trick.

    Vern

Index: main.cc

4

Hi Vern,

The bro-1.3.2. that we installed having the same revision which is 4657 -

head -1 main.cc
// $Id: main.cc 4657 2007-07-24 20:37:07Z vern $

And it seems to be the same.

5

I can't reproduce the problem unfortunately. Can you send me your
trace? (I suppose you didn't change any of the policy scripts, did
you?)

Robin

6

The bro-1.3.2. that we installed having the same revision which is 4657 -

Ah. Then please try this one.

    Vern

Index: File.cc

7

Hi Vern,

The patch works! There’s no more segfault after the patch is applied.

Thanks.