shaft process may segfault and restart on a very rare smtp flow
search cancel

shaft process may segfault and restart on a very rare smtp flow

book

Article ID: 275851

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The shaft process indexes the captured packets.  There is a rare case where a smtp flow with just the right attachment may cause the shaft process to segfault and restart.  

Environment

8.2.7

Cause

This is due to a bug in identifying the smtp mime type and any attachments.  The symptoms are found in /var/log/messages as:

2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: *** FAULT *** pgm=shaft sig=SEGV addr=0x7ddee0e6c000 code=2 (permission denied)
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV --- begin stack ---
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 00: +0x00084 shaft::sa::sys::crashlog::on_signal(int, siginfo_t*, void*)
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 01: +0x0f5d0 libpthread.so.0::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 02: +0x15abbc libc.so.6::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 03: +0x2efb2 libqmengine.so.5::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 04: +0x2f6e0 libqmengine.so.5::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 05: +0x000f0 libqmbundle.so.1::pbe_uevent_add_sz
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 06: +0x58d077 libqmbundle.so.1::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 07: +0x191ad9 libqmbundle.so.1::<anon>
2023-10-10T13:04:16+00:00 <hostname> shaft[291400]: SEGV frame 08: +0x192397 libqmbundle.so.1::<anon>

Resolution

The system will need a "NSR" or patch installed.  The system will reboot as part of the process.

The download and installation instructions are:

  1. Download the nsr827-1 patch from
    1. https://license.soleranetworks.com/upgrades/nsr827-1-55587.55589.zip
    2. Security Analytics download page on Broadcom Support portal
  2. Copy the nsr827-1-55587.55589.zip file to /home/nsr on the sensor
  3. Login as root
  4. cd /home/nsr
  5. unzip nsr827-1-55587.55589.zip
  6. Review the file named README-nsr827-1-55587.55589.txt for the installation instructions.
  7. There should be no need to remove any previous releases, so step 1 can be skipped.
  8. The system will reboot.
Powered by Wolken Software