* [PATCH] Fix audispd crash on ARM 32-Bits
@ 2020-12-12 2:10 Javier Tiá
2020-12-12 19:45 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: Javier Tiá @ 2020-12-12 2:10 UTC (permalink / raw)
To: linux-audit
On ARM 32-Bits, audispd is crashing. Backtrace:
(gdb) bt
0 0xb6e20958 in __GI_raise (sig=sig@entry=6)
at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
1 0xb6e21e58 in __GI_abort ()
at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
3 0xb6e60108 in malloc_printerr (action=<optimized out>,
str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized out>,
ar_ptr=<optimized out>)
at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>,
have_lock=<optimized out>)
at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
5 0x004234b8 in free_pconfig (config=0x43b398)
at /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513
6 0x00421244 in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
(gdb) f 5
(gdb) p config->path
$2 = 0x43b5f0 ""
(gdb) p config->name
$3 = 0x43b370 "h\264C
Be paranoid and overwrite config->path with zero bytes before doing the
free().
---
audisp/audispd-pconfig.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
index a8b7878..a13f681 100644
--- a/audisp/audispd-pconfig.c
+++ b/audisp/audispd-pconfig.c
@@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
close(config->plug_pipe[0]);
if (config->plug_pipe[1] >= 0)
close(config->plug_pipe[1]);
+ /* Be paranoid and overwrite config->path with zero bytes before doing the
+ * free() */
+ memset(config->path, 0, strlen(config->path));
free((void *)config->path);
+ config->path = NULL;
free((void *)config->name);
}
--
2.29.2
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits
2020-12-12 2:10 [PATCH] Fix audispd crash on ARM 32-Bits Javier Tiá
@ 2020-12-12 19:45 ` Steve Grubb
2020-12-12 20:21 ` Tia, Javier
0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2020-12-12 19:45 UTC (permalink / raw)
To: linux-audit
Hello,
Thanks for the patch. But if its true that this is against audit-2.4.3, then
there is a good chance this is fixed by 2.8.5. There were a number of fixes in
this area that fixed various issues with plugins.
Best Regards,
-Steve
On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
> On ARM 32-Bits, audispd is crashing. Backtrace:
>
> (gdb) bt
> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6)
> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
> 1 0xb6e21e58 in __GI_abort ()
> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
> 3 0xb6e60108 in malloc_printerr (action=<optimized out>,
> str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized
> out>, ar_ptr=<optimized out>)
> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>,
> have_lock=<optimized out>)
> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
> 5 0x004234b8 in free_pconfig (config=0x43b398)
> at
> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6
> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
>
> (gdb) f 5
> (gdb) p config->path
> $2 = 0x43b5f0 ""
> (gdb) p config->name
> $3 = 0x43b370 "h\264C
>
> Be paranoid and overwrite config->path with zero bytes before doing the
> free().
> ---
> audisp/audispd-pconfig.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
> index a8b7878..a13f681 100644
> --- a/audisp/audispd-pconfig.c
> +++ b/audisp/audispd-pconfig.c
> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
> close(config->plug_pipe[0]);
> if (config->plug_pipe[1] >= 0)
> close(config->plug_pipe[1]);
> + /* Be paranoid and overwrite config->path with zero bytes before doing
> the + * free() */
> + memset(config->path, 0, strlen(config->path));
> free((void *)config->path);
> + config->path = NULL;
> free((void *)config->name);
> }
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits
2020-12-12 19:45 ` Steve Grubb
@ 2020-12-12 20:21 ` Tia, Javier
2020-12-14 4:34 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: Tia, Javier @ 2020-12-12 20:21 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Hi Steve,
Thank you for your prompt response and for pointing to a solution.
Yes, this patch it's applied to audit v2.4.3. It's an embedded device,
and at the moment, we're unable to upgrade the audit to a higher audit
version.
If audit v2.4.y were still maintainable, would you accept this patch for
audit v2.4.y?
-Javier
On 12/12/20 1:45 PM, Steve Grubb wrote:
> Hello,
>
> Thanks for the patch. But if its true that this is against audit-2.4.3, then
> there is a good chance this is fixed by 2.8.5. There were a number of fixes in
> this area that fixed various issues with plugins.
>
> Best Regards,
> -Steve
>
> On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
>> On ARM 32-Bits, audispd is crashing. Backtrace:
>>
>> (gdb) bt
>> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6)
>> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
>> 1 0xb6e21e58 in __GI_abort ()
>> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
>> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
>> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
>> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
>> 3 0xb6e60108 in malloc_printerr (action=<optimized out>,
>> str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized
>> out>, ar_ptr=<optimized out>)
>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
>> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>,
>> have_lock=<optimized out>)
>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
>> 5 0x004234b8 in free_pconfig (config=0x43b398)
>> at
>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6
>> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
>>
>> (gdb) f 5
>> (gdb) p config->path
>> $2 = 0x43b5f0 ""
>> (gdb) p config->name
>> $3 = 0x43b370 "h\264C
>>
>> Be paranoid and overwrite config->path with zero bytes before doing the
>> free().
>> ---
>> audisp/audispd-pconfig.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
>> index a8b7878..a13f681 100644
>> --- a/audisp/audispd-pconfig.c
>> +++ b/audisp/audispd-pconfig.c
>> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
>> close(config->plug_pipe[0]);
>> if (config->plug_pipe[1] >= 0)
>> close(config->plug_pipe[1]);
>> + /* Be paranoid and overwrite config->path with zero bytes before doing
>> the + * free() */
>> + memset(config->path, 0, strlen(config->path));
>> free((void *)config->path);
>> + config->path = NULL;
>> free((void *)config->name);
>> }
>
>
>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits
2020-12-12 20:21 ` Tia, Javier
@ 2020-12-14 4:34 ` Steve Grubb
2020-12-16 14:40 ` Tia, Javier
0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2020-12-14 4:34 UTC (permalink / raw)
To: linux-audit, Tia, Javier
On Saturday, December 12, 2020 3:21:25 PM EST Tia, Javier wrote:
> Thank you for your prompt response and for pointing to a solution.
>
> Yes, this patch it's applied to audit v2.4.3. It's an embedded device,
> and at the moment, we're unable to upgrade the audit to a higher audit
> version.
That's a shame. But if you have a reproducer, it might be worth seeing if its
fixed in 2.8.5 and bisecting back to find the official patch if it were fixed.
> If audit v2.4.y were still maintainable,
It's not
> would you accept this patch for audit v2.4.y?
That depends. You are zeroing out the path and then setting it to NULL.
Setting the pointer to NULL should be enough. If not, setting the first byte
to 0 should wipe out the whole string for any string function. But usually
this kind of fixup is because it gets used again somewhere by accident. That
would be a plugin lifecycle issue and would be the root cause. The plugin
lifecycle was reworked sometime after the release you have.
So, my guess (and it's pure speculation without a reproducer) is this covers
up whatever problem you are seeing. But there may be a deeper issue about a
plugin not being fully decommissioned. It's a long way to say, I'd look
deeper as to how this goes wrong.
-Steve
>
> -Javier
>
> On 12/12/20 1:45 PM, Steve Grubb wrote:
>
> > Hello,
> >
> > Thanks for the patch. But if its true that this is against audit-2.4.3,
> > then
there is a good chance this is fixed by 2.8.5. There were a number
> > of fixes in this area that fixed various issues with plugins.
> >
> > Best Regards,
> > -Steve
> >
> > On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
> >
> >> On ARM 32-Bits, audispd is crashing. Backtrace:
> >>
> >>
> >>
> >> (gdb) bt
> >> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6)
> >>
> >> at
> >> /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
> >>
> >>
> >> 1 0xb6e21e58 in __GI_abort ()
> >>
> >> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
> >>
> >> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
> >>
> >> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
> >> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
> >>
> >> 3 0xb6e60108 in malloc_printerr (action=<optimized out>,
> >>
> >> str=0xb6f11354 "double free or corruption (fasttop)",
> >> ptr=<optimized
> >>
> >> out>, ar_ptr=<optimized out>)
> >>
> >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
> >>
> >> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized
> >> out>,
>>
> >> have_lock=<optimized out>)
> >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
> >>
> >> 5 0x004234b8 in free_pconfig (config=0x43b398)
> >>
> >> at
> >>
> >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513
> >> 6
> >> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
> >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
> >>
> >>
> >>
> >> (gdb) f 5
> >> (gdb) p config->path
> >> $2 = 0x43b5f0 ""
> >> (gdb) p config->name
> >> $3 = 0x43b370 "h\264C
> >>
> >>
> >>
> >> Be paranoid and overwrite config->path with zero bytes before doing the
> >> free().
> >> ---
> >>
> >> audisp/audispd-pconfig.c | 4 ++++
> >> 1 file changed, 4 insertions(+)
> >>
> >>
> >>
> >> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
> >> index a8b7878..a13f681 100644
> >> --- a/audisp/audispd-pconfig.c
> >> +++ b/audisp/audispd-pconfig.c
> >> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
> >>
> >> close(config->plug_pipe[0]);
> >>
> >> if (config->plug_pipe[1] >= 0)
> >>
> >> close(config->plug_pipe[1]);
> >>
> >> + /* Be paranoid and overwrite config->path with zero bytes before
> >> doing
> >> the + * free() */
> >> + memset(config->path, 0, strlen(config->path));
> >>
> >> free((void *)config->path);
> >>
> >> + config->path = NULL;
> >>
> >> free((void *)config->name);
> >>
> >> }
> >
> >
> >
> >
> >
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits
2020-12-14 4:34 ` Steve Grubb
@ 2020-12-16 14:40 ` Tia, Javier
0 siblings, 0 replies; 5+ messages in thread
From: Tia, Javier @ 2020-12-16 14:40 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Hi Steve,
Understood. Thank you for all your comments and suggestions.
-Javier
On 12/13/20 10:34 PM, Steve Grubb wrote:
> On Saturday, December 12, 2020 3:21:25 PM EST Tia, Javier wrote:
>> Thank you for your prompt response and for pointing to a solution.
>>
>> Yes, this patch it's applied to audit v2.4.3. It's an embedded device,
>> and at the moment, we're unable to upgrade the audit to a higher audit
>> version.
>
> That's a shame. But if you have a reproducer, it might be worth seeing if its
> fixed in 2.8.5 and bisecting back to find the official patch if it were fixed.
>
>> If audit v2.4.y were still maintainable,
>
> It's not
>
>> would you accept this patch for audit v2.4.y?
>
> That depends. You are zeroing out the path and then setting it to NULL.
> Setting the pointer to NULL should be enough. If not, setting the first byte
> to 0 should wipe out the whole string for any string function. But usually
> this kind of fixup is because it gets used again somewhere by accident. That
> would be a plugin lifecycle issue and would be the root cause. The plugin
> lifecycle was reworked sometime after the release you have.
>
> So, my guess (and it's pure speculation without a reproducer) is this covers
> up whatever problem you are seeing. But there may be a deeper issue about a
> plugin not being fully decommissioned. It's a long way to say, I'd look
> deeper as to how this goes wrong.
>
> -Steve
>
>>
>> -Javier
>>
>> On 12/12/20 1:45 PM, Steve Grubb wrote:
>>
>>> Hello,
>>>
>>> Thanks for the patch. But if its true that this is against audit-2.4.3,
>>> then
> there is a good chance this is fixed by 2.8.5. There were a number
>>> of fixes in this area that fixed various issues with plugins.
>>>
>>> Best Regards,
>>> -Steve
>>>
>>> On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
>>>
>>>> On ARM 32-Bits, audispd is crashing. Backtrace:
>>>>
>>>>
>>>>
>>>> (gdb) bt
>>>> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6)
>>>>
>>>> at
>>>> /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
>>>>
>>>>
>>>> 1 0xb6e21e58 in __GI_abort ()
>>>>
>>>> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
>>>>
>>>> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
>>>>
>>>> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
>>>> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
>>>>
>>>> 3 0xb6e60108 in malloc_printerr (action=<optimized out>,
>>>>
>>>> str=0xb6f11354 "double free or corruption (fasttop)",
>>>> ptr=<optimized
>>>>
>>>> out>, ar_ptr=<optimized out>)
>>>>
>>>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
>>>>
>>>> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized
>>>> out>,
>>>
>>>> have_lock=<optimized out>)
>>>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
>>>>
>>>> 5 0x004234b8 in free_pconfig (config=0x43b398)
>>>>
>>>> at
>>>>
>>>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513
>>>> 6
>>>> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
>>>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
>>>>
>>>>
>>>>
>>>> (gdb) f 5
>>>> (gdb) p config->path
>>>> $2 = 0x43b5f0 ""
>>>> (gdb) p config->name
>>>> $3 = 0x43b370 "h\264C
>>>>
>>>>
>>>>
>>>> Be paranoid and overwrite config->path with zero bytes before doing the
>>>> free().
>>>> ---
>>>>
>>>> audisp/audispd-pconfig.c | 4 ++++
>>>> 1 file changed, 4 insertions(+)
>>>>
>>>>
>>>>
>>>> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
>>>> index a8b7878..a13f681 100644
>>>> --- a/audisp/audispd-pconfig.c
>>>> +++ b/audisp/audispd-pconfig.c
>>>> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
>>>>
>>>> close(config->plug_pipe[0]);
>>>>
>>>> if (config->plug_pipe[1] >= 0)
>>>>
>>>> close(config->plug_pipe[1]);
>>>>
>>>> + /* Be paranoid and overwrite config->path with zero bytes before
>>>> doing
>>>> the + * free() */
>>>> + memset(config->path, 0, strlen(config->path));
>>>>
>>>> free((void *)config->path);
>>>>
>>>> + config->path = NULL;
>>>>
>>>> free((void *)config->name);
>>>>
>>>> }
>>>
>>>
>>>
>>>
>>>
>
>
>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-16 14:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-12 2:10 [PATCH] Fix audispd crash on ARM 32-Bits Javier Tiá
2020-12-12 19:45 ` Steve Grubb
2020-12-12 20:21 ` Tia, Javier
2020-12-14 4:34 ` Steve Grubb
2020-12-16 14:40 ` Tia, Javier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.