答复: [PATCH] audit: fix a memleak caused by auditing load module

From: "Li,Rongqing" <lirongqing@baidu.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>,
	"linux-audit@redhat.com" <linux-audit@redhat.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: 答复: [PATCH] audit: fix a memleak caused by auditing load module
Date: Wed, 6 Mar 2019 03:23:16 +0000	[thread overview]
Message-ID: <0100abb43ecf4a1fbb4d61364b246767@baidu.com> (raw)
In-Reply-To: <CAHC9VhQaoWM1nuvm_UeX_np_y0QAenQeWE8XWDUVh1oAOsy9XA@mail.gmail.com>



> -----邮件原件-----
> 发件人: Paul Moore [mailto:paul@paul-moore.com]
> 发送时间: 2019年3月5日 22:18
> 收件人: Li,Rongqing <lirongqing@baidu.com>
> 抄送: Eric Paris <eparis@redhat.com>; linux-audit@redhat.com;
> linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] audit: fix a memleak caused by auditing load module
> 
> On Tue, Mar 5, 2019 at 6:14 AM Li RongQing <lirongqing@baidu.com> wrote:
> > we should always free context->module.name, since it will be allocated
> > unconditionally and audit_log_start() can fail with other reasons, and
> > audit_log_exit maybe not called
> >
> > unreferenced object 0xffff88af90837d20 (size 8):
> >   comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
> >   hex dump (first 8 bytes):
> >     69 78 67 62 65 00 ff ff                          ixgbe...
> >   backtrace:
> >     [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
> >     [<00000000c1491e61>] load_module+0x64f/0x3850
> >     [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
> >     [<0000000000d4a478>] do_syscall_64+0x117/0x400
> >     [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >     [<000000007dc331dd>] 0xffffffffffffffff
> >
> > Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> > Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > ---
> >  kernel/auditsc.c | 22 ++++++++++++++++++++--
> >  1 file changed, 20 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c index
> > b2d1f043f..2bd80375f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context
> *context, int *call_panic)
> >         int i;
> >
> >         ab = audit_log_start(context, GFP_KERNEL, context->type);
> > -       if (!ab)
> > +       if (!ab) {
> > +               if (context->type == AUDIT_KERN_MODULE) {
> > +                       kfree(context->module.name);
> > +                       context->module.name = NULL;
> > +               }
> >                 return;
> > +       }
> 
> Hello.
> 
> Thanks for the patch, but I have to ask if you've considered freeing the module
> name in audit_free_context()?  That seems like the correct way to solve this
> issue.
> 

It does not work that move the freeing of module.name in audit_free_context

Since we should free module.name based on context->types is AUDIT_KERN_MODULE, 
but __audit_syscall_exit is called first, and will set context->type to 0,
When audit_free_context is called, context->type is 0, will cause to fail.

I will change this patches as below:

commit ee32ec2354b47a824e5e63d4f46567d577a02824 (HEAD -> master)
Author: Li RongQing <lirongqing@baidu.com>
Date:   Tue Mar 5 15:42:09 2019 +0800

    audit: fix a memleak caused by auditing load module
    
    module.name will be allocated unconditionally when auditing load
    module, and audit_log_start() can fail with other reasons, or
    audit_log_exit maybe not called, caused module.name is released
    
    so always free module.name in audit_free_context
    
    unreferenced object 0xffff88af90837d20 (size 8):
      comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
      hex dump (first 8 bytes):
        69 78 67 62 65 00 ff ff                          ixgbe...
      backtrace:
        [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
        [<00000000c1491e61>] load_module+0x64f/0x3850
        [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
        [<0000000000d4a478>] do_syscall_64+0x117/0x400
        [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000007dc331dd>] 0xffffffffffffffff
    
    Fixes: ca86cad7380e3 ("audit: log module name on init_module")
    Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
    Signed-off-by: Li RongQing <lirongqing@baidu.com>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..07728b07a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -964,6 +964,9 @@ int audit_alloc(struct task_struct *tsk)
 
 static inline void audit_free_context(struct audit_context *context)
 {
+       if (context->type == AUDIT_KERN_MODULE)
+               kfree(context->module.name);
+
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        free_tree_refs(context);
@@ -1282,6 +1285,8 @@ static void show_special(struct audit_context *context, int *call_panic)
                if (context->module.name) {
                        audit_log_untrustedstring(ab, context->module.name);
                        kfree(context->module.name);
+                       context->module.name = NULL;
+                       context->type = 0;
                } else
                        audit_log_format(ab, "(null)");
 
@@ -1583,6 +1588,11 @@ void __audit_syscall_exit(int success, long return_code)
        if (!list_empty(&context->killed_trees))
                audit_kill_trees(&context->killed_trees);
 
+       if (context->type == AUDIT_KERN_MODULE) {
+               kfree(context->module.name);
+               context->module.name = NULL;
+       }
+
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        audit_free_aux(context);


-RongQing 

> -Paul
> 
> --
> paul moore
> www.paul-moore.com
