We have been seeing some crash reports on some of our nodes, regarding a tcmalloc error. I was wondering if anyone else has seen this before and if anyone has any suggestions on what the cause might be. We are running Zeek 2.6. Here is an example stderr.log output from one of these crashes:
I experienced the same, I think it might be related to corrupted
temporary files created by workers. An idea I had is that the corrupted
files are read with some wrong value and an allocation depend on it. The
following command solved the problem for me:
cleanup --all
deploy
Regards,
Les données à caractère personnel recueillies et traitées dans le cadre de cet échange, le sont à seule fin d’exécution d’une relation professionnelle et s’opèrent dans cette seule finalité et pour la durée nécessaire à cette relation. Si vous souhaitez faire usage de vos droits de consultation, de rectification et de suppression de vos données, veuillez contacter contact.rgpd@sgdsn.gouv.fr. Si vous avez reçu ce message par erreur, nous vous remercions d’en informer l’expéditeur et de détruire le message. The personal data collected and processed during this exchange aims solely at completing a business relationship and is limited to the necessary duration of that relationship. If you wish to use your rights of consultation, rectification and deletion of your data, please contact: contact.rgpd@sgdsn.gouv.fr. If you have received this message in error, we thank you for informing the sender and destroying the message.
We've seen evidence before that there is a file analyzer freaking out with particular files and attempting to do these very large allocations. Unfortuantely we still don't have concrete indications about exactly what is causing the problem. It would be helpful for us if you converted those offsets into symbolic procedure names. You can do it this way (just specify the correct location for your binary)...
The first two showing ??:0 makes sense b/c those are memory addresses. It looks like the PE analyzer might be the culprit but I'm not sure.
Thanks for your help!
Zander Work | Security Analyst | Oregon Research & Teaching Security Operations Center (ORTSOC)
Yep, I knew the first two would look like that. It's ASLR being applied to glibc function (which is fine and not what I was interested in anyway). It did end up showing what I expected it to. I'll look around a little bit and see if anything makes sense.