From: "Li,Rongqing" <lirongqing@baidu.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: 答复: [PATCH] audit: fix a memleak caused by auditing load module
Date: Wed, 6 Mar 2019 03:23:16 +0000 [thread overview]
Message-ID: <0100abb43ecf4a1fbb4d61364b246767@baidu.com> (raw)
In-Reply-To: <CAHC9VhQaoWM1nuvm_UeX_np_y0QAenQeWE8XWDUVh1oAOsy9XA@mail.gmail.com>
> -----邮件原件-----
> 发件人: Paul Moore [mailto:paul@paul-moore.com]
> 发送时间: 2019年3月5日 22:18
> 收件人: Li,Rongqing <lirongqing@baidu.com>
> 抄送: Eric Paris <eparis@redhat.com>; linux-audit@redhat.com;
> linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] audit: fix a memleak caused by auditing load module
>
> On Tue, Mar 5, 2019 at 6:14 AM Li RongQing <lirongqing@baidu.com> wrote:
> > we should always free context->module.name, since it will be allocated
> > unconditionally and audit_log_start() can fail with other reasons, and
> > audit_log_exit maybe not called
> >
> > unreferenced object 0xffff88af90837d20 (size 8):
> > comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
> > hex dump (first 8 bytes):
> > 69 78 67 62 65 00 ff ff ixgbe...
> > backtrace:
> > [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
> > [<00000000c1491e61>] load_module+0x64f/0x3850
> > [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
> > [<0000000000d4a478>] do_syscall_64+0x117/0x400
> > [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [<000000007dc331dd>] 0xffffffffffffffff
> >
> > Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> > Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > ---
> > kernel/auditsc.c | 22 ++++++++++++++++++++--
> > 1 file changed, 20 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c index
> > b2d1f043f..2bd80375f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context
> *context, int *call_panic)
> > int i;
> >
> > ab = audit_log_start(context, GFP_KERNEL, context->type);
> > - if (!ab)
> > + if (!ab) {
> > + if (context->type == AUDIT_KERN_MODULE) {
> > + kfree(context->module.name);
> > + context->module.name = NULL;
> > + }
> > return;
> > + }
>
> Hello.
>
> Thanks for the patch, but I have to ask if you've considered freeing the module
> name in audit_free_context()? That seems like the correct way to solve this
> issue.
>
It does not work that move the freeing of module.name in audit_free_context
Since we should free module.name based on context->types is AUDIT_KERN_MODULE,
but __audit_syscall_exit is called first, and will set context->type to 0,
When audit_free_context is called, context->type is 0, will cause to fail.
I will change this patches as below:
commit ee32ec2354b47a824e5e63d4f46567d577a02824 (HEAD -> master)
Author: Li RongQing <lirongqing@baidu.com>
Date: Tue Mar 5 15:42:09 2019 +0800
audit: fix a memleak caused by auditing load module
module.name will be allocated unconditionally when auditing load
module, and audit_log_start() can fail with other reasons, or
audit_log_exit maybe not called, caused module.name is released
so always free module.name in audit_free_context
unreferenced object 0xffff88af90837d20 (size 8):
comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
hex dump (first 8 bytes):
69 78 67 62 65 00 ff ff ixgbe...
backtrace:
[<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
[<00000000c1491e61>] load_module+0x64f/0x3850
[<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
[<0000000000d4a478>] do_syscall_64+0x117/0x400
[<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<000000007dc331dd>] 0xffffffffffffffff
Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..07728b07a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -964,6 +964,9 @@ int audit_alloc(struct task_struct *tsk)
static inline void audit_free_context(struct audit_context *context)
{
+ if (context->type == AUDIT_KERN_MODULE)
+ kfree(context->module.name);
+
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
free_tree_refs(context);
@@ -1282,6 +1285,8 @@ static void show_special(struct audit_context *context, int *call_panic)
if (context->module.name) {
audit_log_untrustedstring(ab, context->module.name);
kfree(context->module.name);
+ context->module.name = NULL;
+ context->type = 0;
} else
audit_log_format(ab, "(null)");
@@ -1583,6 +1588,11 @@ void __audit_syscall_exit(int success, long return_code)
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
+
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
audit_free_aux(context);
-RongQing
> -Paul
>
> --
> paul moore
> www.paul-moore.com
prev parent reply other threads:[~2019-03-06 3:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-05 11:14 [PATCH] audit: fix a memleak caused by auditing load module Li RongQing
2019-03-05 14:18 ` Paul Moore
2019-03-06 3:23 ` Li,Rongqing [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0100abb43ecf4a1fbb4d61364b246767@baidu.com \
--to=lirongqing@baidu.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).