wazuh
wazuh copied to clipboard
wazuh
Wazuh-Analysisd - Logstats RC
| Wazuh version | Component | Install type | Install method | Platform |
|---|---|---|---|---|
| X.Y.Z-rev | Wazuh component | Manager/Agent | Packages/Sources | OS version |
There are multiple race conditions related to the use of global variables, corresponding to the general time and the use of the old analsysd statistics, which create the /var/ossec/stat folder. . There seems to be no problems with the use of memory already freed, but there are problems also with the use of semaphores.
1. RC Analysisd rotate and input thread.
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 8 at 0x5555557e1440 by thread T5:
#0 <null> <null> (libtsan.so.0+0x3a05b)
#1 gettime shared/time_op.c:37 (wazuh-analysisd+0x1a2ba5)
#2 ad_input_main analysisd/analysisd.c:1253 (wazuh-analysisd+0x66a1c)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous read of size 8 at 0x5555557e1440 by thread T11:
#0 <null> <null> (libtsan.so.0+0x4836b)
#1 w_log_rotate_thread analysisd/analysisd.c:2282 (wazuh-analysisd+0x6b9b0)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'c_timespec' of size 16 at 0x5555557e1440 (wazuh-analysisd+0x00000028d440)
Thread T5 (tid=24737, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1067 (wazuh-analysisd+0x65b94)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T11 (tid=24743, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1085 (wazuh-analysisd+0x65d32)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race (/lib/x86_64-linux-gnu/libtsan.so.0+0x3a05b)
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e1424 by thread T204:
#0 Start_Time analysisd/stats.c:444 (wazuh-analysisd+0x62a91)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous read of size 4 at 0x5555557e1424 by thread T11 (mutexes: write M647767746406127840):
#0 w_log_rotate_thread analysisd/analysisd.c:2294 (wazuh-analysisd+0x6baf6)
#1 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'thishour' of size 4 at 0x5555557e1424 (wazuh-analysisd+0x00000028d424)
Mutex M647767746406127840 is already destroyed.
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T11 (tid=24743, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1085 (wazuh-analysisd+0x65d32)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:444 in Start_Time
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e13a8 by thread T205:
#0 Start_Time analysisd/stats.c:440 (wazuh-analysisd+0x62a24)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e13a8 by thread T204:
#0 Start_Time analysisd/stats.c:440 (wazuh-analysisd+0x62a24)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global '_fired' of size 4 at 0x5555557e13a8 (wazuh-analysisd+0x00000028d3a8)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:440 in Start_Time
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e13a4 by thread T205:
#0 Start_Time analysisd/stats.c:441 (wazuh-analysisd+0x62a3d)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e13a4 by thread T204:
#0 Start_Time analysisd/stats.c:441 (wazuh-analysisd+0x62a3d)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global '_cignorehour' of size 4 at 0x5555557e13a4 (wazuh-analysisd+0x00000028d3a4)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:441 in Start_Time
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e1420 by thread T205:
#0 Start_Time analysisd/stats.c:443 (wazuh-analysisd+0x62a69)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e1420 by thread T204:
#0 Start_Time analysisd/stats.c:443 (wazuh-analysisd+0x62a69)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'today' of size 4 at 0x5555557e1420 (wazuh-analysisd+0x00000028d420)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:443 in Start_Time
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 1 at 0x5555557e142d by thread T205:
#0 <null> <null> (libtsan.so.0+0x4a951)
#1 Start_Time analysisd/stats.c:446 (wazuh-analysisd+0x62b22)
#2 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#3 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#4 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 1 at 0x5555557e142d by thread T204:
#0 <null> <null> (libtsan.so.0+0x4a951)
#1 Start_Time analysisd/stats.c:446 (wazuh-analysisd+0x62b22)
#2 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#3 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#4 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'prev_month' of size 4 at 0x5555557e142c (wazuh-analysisd+0x00000028d42d)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race (/lib/x86_64-linux-gnu/libtsan.so.0+0x4a951)
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 1 at 0x5555557e142f by thread T205:
#0 Start_Time analysisd/stats.c:447 (wazuh-analysisd+0x62b31)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 1 at 0x5555557e142f by thread T204:
#0 Start_Time analysisd/stats.c:447 (wazuh-analysisd+0x62b31)
#1 Start_Hour analysisd/stats.c:399 (wazuh-analysisd+0x62609)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'prev_month' of size 4 at 0x5555557e142c (wazuh-analysisd+0x00000028d42f)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:447 in Start_Time
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 8 at 0x5555557e0c60 by thread T205:
#0 <null> <null> (libtsan.so.0+0x614cb)
#1 Start_Hour analysisd/stats.c:402 (wazuh-analysisd+0x62622)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 8 at 0x5555557e0c60 by thread T204:
#0 <null> <null> (libtsan.so.0+0x614cb)
#1 Start_Hour analysisd/stats.c:402 (wazuh-analysisd+0x62622)
#2 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#3 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global '__stats_comment' of size 192 at 0x5555557e0c60 (wazuh-analysisd+0x00000028cc60)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race (/lib/x86_64-linux-gnu/libtsan.so.0+0x614cb)
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e0d20 by thread T205:
#0 Start_Hour analysisd/stats.c:405 (wazuh-analysisd+0x62656)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e0d20 by thread T204:
#0 Start_Hour analysisd/stats.c:405 (wazuh-analysisd+0x62656)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'maxdiff' of size 4 at 0x5555557e0d20 (wazuh-analysisd+0x00000028cd20)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:405 in Start_Hour
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557e0d24 by thread T206:
#0 Start_Hour analysisd/stats.c:409 (wazuh-analysisd+0x62690)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e0d24 by thread T204:
#0 Start_Hour analysisd/stats.c:409 (wazuh-analysisd+0x62690)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'mindiff' of size 4 at 0x5555557e0d24 (wazuh-analysisd+0x00000028cd24)
Thread T206 (tid=24939, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:409 in Start_Hour
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Write of size 4 at 0x5555557df1f0 by thread T205:
#0 Start_Hour analysisd/stats.c:413 (wazuh-analysisd+0x626ca)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557df1f0 by thread T204:
#0 Start_Hour analysisd/stats.c:413 (wazuh-analysisd+0x626ca)
#1 w_process_event_thread analysisd/analysisd.c:2008 (wazuh-analysisd+0x69ec7)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global 'percent_diff' of size 4 at 0x5555557df1f0 (wazuh-analysisd+0x00000028b1f0)
Thread T205 (tid=24938, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:413 in Start_Hour
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Read of size 4 at 0x5555557e1430 by thread T204 (mutexes: write M648893646312969984):
#0 Check_Hour analysisd/stats.c:231 (wazuh-analysisd+0x60f0b)
#1 w_process_event_thread analysisd/analysisd.c:2070 (wazuh-analysisd+0x6a548)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e1430 by thread T11:
#0 w_log_rotate_thread analysisd/analysisd.c:2288 (wazuh-analysisd+0x6ba5d)
#1 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global '__crt_hour' of size 4 at 0x5555557e1430 (wazuh-analysisd+0x00000028d430)
Mutex M648893646312969984 is already destroyed.
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T11 (tid=24743, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1085 (wazuh-analysisd+0x65d32)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:231 in Check_Hour
==================
==================
WARNING: ThreadSanitizer: data race (pid=24645)
Read of size 4 at 0x5555557e1434 by thread T204 (mutexes: write M648893646312969984):
#0 Check_Hour analysisd/stats.c:232 (wazuh-analysisd+0x60f89)
#1 w_process_event_thread analysisd/analysisd.c:2070 (wazuh-analysisd+0x6a548)
#2 <null> <null> (libtsan.so.0+0x2e5ff)
Previous write of size 4 at 0x5555557e1434 by thread T11:
#0 w_log_rotate_thread analysisd/analysisd.c:2289 (wazuh-analysisd+0x6ba85)
#1 <null> <null> (libtsan.so.0+0x2e5ff)
Location is global '__crt_wday' of size 4 at 0x5555557e1434 (wazuh-analysisd+0x00000028d434)
Mutex M648893646312969984 is already destroyed.
Thread T204 (tid=24937, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1119 (wazuh-analysisd+0x65f9f)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
Thread T11 (tid=24743, running) created by main thread at:
#0 <null> <null> (libtsan.so.0+0x605b8)
#1 CreateThreadJoinable shared/pthreads_op.c:47 (wazuh-analysisd+0x187732)
#2 CreateThread shared/pthreads_op.c:62 (wazuh-analysisd+0x1877fb)
#3 OS_ReadMSG analysisd/analysisd.c:1085 (wazuh-analysisd+0x65d32)
#4 main analysisd/analysisd.c:898 (wazuh-analysisd+0x65115)
SUMMARY: ThreadSanitizer: data race analysisd/stats.c:232 in Check_Hour
==================
The problem is centered on the logstat system, which uses many global variables shared across multiple features. A total of 12 different race condition (RC) points have been identified.
These variables are mostly tied to log statistics, but may also affect other components. The function responsible is currently untested, which adds to the risk and complexity.
A key question here is whether logstat is still relevant. It's configured via the <stats> tag (according to the manual), a feature inherited from OSSEC. The only documentation reference we found is in the OSSEC manual, page 39, where even upstream contributors mention:
“Note: XXX I actually have no idea what this does, and the description makes no sense.”
This raises the question: are we spending resources maintaining legacy code that isn't even used?
Estimated time to fix or remove: 5 days
Update: Global Variable Access in analysisd – Review of Affected Variables and Behavior
- Added the stats legacy documentation
analysisd.c
thishour
- Used in
LoopRule(),DumpLogstats(), andw_log_rotate_thread()(executed every second). - Updated in
w_log_rotate_thread()only when it differs from__crt_hour. - Initialized in
Start_Time()(also initially set in the main thread but not used). - Represents the current hour (0–23), updated only when the hour changes.
- When updated,
w_log_rotate_thread()callsDumpLogstats(), which logs the statistics and recursively callsLoopRule(). - Although
w_log_rotate_threadis a single thread,w_process_event_thread()also callsStart_Hour(), which callsStart_Time(). This is not a critical race condition since it happens only once.w_log_rotate_thread()eventually corrects the value.
today
- Initialized via
Start_Time()after thread creation, so it may already be overwritten byw_log_rotate_threadorw_process_event_threadcallingStart_Hour(). - Used to set
__crt_dayviaOS_GetLogLocation()during initialization. - Used in the same logic as
thishourinsidew_log_rotate_thread(). - Also updated in
w_log_rotate_thread()and again used inOS_GetLogLocation().
prev_year
- Also initialized via
Start_Time()post-thread creation. May be overwritten early by worker threads. - Passed by value to
OS_GetLogLocation(). - Used and updated in
w_log_rotate_thread()andDumpLogstats().
prev_month
- Same as above: initialized in
Start_Time()post-thread creation. - Used in
DumpLogstats()and updated inw_log_rotate_thread().
__crt_wday
- Initialized and updated inside
w_log_rotate_thread(). - Also used in
Check_Hour()by all rule-matching threads. - Used to check the day an alert was triggered (the
timerule condition) — this occur without mutual exclusion.
__crt_hour
- Read and written in
w_log_rotate_thread(). - Also read by
Check_Hour()
c_timespec
- Initially set at
analysisdstartup. - Updated every time an event is read from the input socket.
- Accessed in
OS_GetLogLocation()andw_log_rotate_thread(). - A macro (
#define c_time c_timespec.tv_sec) is used in:-
OS_RotateLogs()viaOS_GetLogLocation() -
Start_Time() -
w_log_rotate_thread()
-
stats.c
_fired
- Used only in
stats.c. - Set once in
Start_Time()during startup. - Also read in
Check_Hour()by rule-matching threads. - Potentially protected by
process_event_check_hour_mutex, but unclear what exactly is protected.
_cignorehour
- Same behavior and risk as
_fired. - Set in
Start_Time(), used inCheck_Hour().
__stats_comment
- Used in
stats.c, initialized inCheck_Hour()(filled with a formatted string). - Assigned to
lf->full_loginside the critical section ofCheck_Hour()and restored afterward.
maxdiff, mindiff, percent_diff
- Configuration parameters read from
internal_options.conf:
analysisd.stats_maxdiff,analysisd.stats_mindiff,analysisd.stats_percent_diff. - Initialized in
Start_Hour(). - Used in
gethour(), which is called only byCheck_Hour() - Since
Check_Hour()runs in rule-matching threads and requires mutex protection, we suggest disablingConfig.statsby default to better performance after the fix