4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

[Kassey Li]

[-- Attachment #1.1: Type: text/plain, Size: 723 bytes --]

hi, Paul:
    we got one kernel panic on 4.9 kernel

                [16237.397896] [2018:10:09 23:06:55]audit: audit_pid=20802 reset
                [16238.098916] [2018:10:09 23:06:57]Unable to handle kernel NULL pointer dereference at virtual address 00000280

                audit_sock is set to NULL in kauditd_send_skb, but later we are access it again in audit_replace caused this panic.
                is there patch for such SW issue on 4.9 kernel ?

    static int audit_replace(pid_t pid)
{
struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
      &pid, sizeof(pid));

if (!skb)
return -ENOMEM;
return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
}



Br
kassey

[-- Attachment #1.2: Type: text/html, Size: 1523 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: 4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

[Paul Moore]

On October 11, 2018 10:44:01 PM Kassey Li <kasseyli@outlook.com> wrote:
> hi, Paul:
>    we got one kernel panic on 4.9 kernel
>
>                [16237.397896] [2018:10:09 23:06:55]audit: audit_pid=20802 reset
>                [16238.098916] [2018:10:09 23:06:57]Unable to handle kernel NULL pointer dereference at virtual address 00000280
>
>                audit_sock is set to NULL in kauditd_send_skb, but later we are access it again in audit_replace caused this panic.
>                is there patch for such SW issue on 4.9 kernel ?
>
>    static int audit_replace(pid_t pid)
> {
> struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
>      &pid, sizeof(pid));
>
> if (!skb)
> return -ENOMEM;
> return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
> }

Hi.

Have you been able to reproduce this problem on a recent kernel?  Unfortunately there have been some major changes to that area of the code since v4.9 and it is very likely that we have fixed this issue in the current upstream kernel.

--
paul moore
www.paul-moore.com

Re: 4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

[Kassey Li]

[-- Attachment #1.1: Type: text/plain, Size: 2024 bytes --]


hi, Paul:

it is hard to running on upstream kernel on my hardware.
I checked the kernel log that we can see  that we are trying to send the sock to task 20802, but it was killed already.
is there any suggest that we can pick up some patches to backport to 4.9 to try ?

[16222.577350] [2018:10:09 23:06:41]init: Service 'logd' (pid 20802) killed by signal 11
[16237.397867] [2018:10:09 23:06:55]audit: netlink_unicast sending to audit_pid=20802 returned error: -111


-000|netlink_unicast(
    |    [X20] ssk = 0x0,
    |    [X21] skb = 0xFFFFFFC0989D5600,
    |    [X24] portid = 20802,
    |    [X19] nonblock = 0)




Kassey Li


________________________________
From: Paul Moore <paul@paul-moore.com>
Sent: October 12, 2018 12:15 PM
To: Kassey Li; Linux-audit@redhat.com
Subject: Re: 4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

On October 11, 2018 10:44:01 PM Kassey Li <kasseyli@outlook.com> wrote:
> hi, Paul:
>    we got one kernel panic on 4.9 kernel
>
>                [16237.397896] [2018:10:09 23:06:55]audit: audit_pid=20802 reset
>                [16238.098916] [2018:10:09 23:06:57]Unable to handle kernel NULL pointer dereference at virtual address 00000280
>
>                audit_sock is set to NULL in kauditd_send_skb, but later we are access it again in audit_replace caused this panic.
>                is there patch for such SW issue on 4.9 kernel ?
>
>    static int audit_replace(pid_t pid)
> {
> struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
>      &pid, sizeof(pid));
>
> if (!skb)
> return -ENOMEM;
> return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
> }

Hi.

Have you been able to reproduce this problem on a recent kernel?  Unfortunately there have been some major changes to that area of the code since v4.9 and it is very likely that we have fixed this issue in the current upstream kernel.

--
paul moore
www.paul-moore.com<http://www.paul-moore.com>




[-- Attachment #1.2: Type: text/html, Size: 5361 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: 4.9 kernel panic in netlink unicast because audit replace passing audit sock as NULL

[Paul Moore]

On Fri, Oct 12, 2018 at 3:33 AM Kassey Li <kasseyli@outlook.com> wrote:
> hi, Paul:
>
> it is hard to running on upstream kernel on my hardware.
> I checked the kernel log that we can see  that we are trying to send the sock to task 20802, but it was killed already.
> is there any suggest that we can pick up some patches to backport to 4.9 to try ?

There have been numerous patches which could be applicable to your
problem, starting in v4.10 through v4.15.  Since this is an old kernel
from an upstream community perspective I would suggest reaching out to
your Linux distribution's support channels to see if they can help
you.  If that is not an option, you can see all of the audit patches
from the audit team in the audit kernel repo broken down by release at
the following location:

* git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
* https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

... patches for Linux vX.Y can be found in branches stable-X.Y.

-- 
paul moore
www.paul-moore.com