[userspace PATCH] Prevent free() of stack buffer with NOLOG format
Steve Grubb
sgrubb at redhat.com
Tue Dec 6 15:55:05 UTC 2016
On Tuesday, December 6, 2016 7:57:33 AM EST George McCollister wrote:
> On Mon, Dec 5, 2016 at 6:30 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Monday, December 5, 2016 6:01:02 PM EST George McCollister wrote:
> >> When the NOLOG format is used replace_event_msg() doesn't change
> >> e->reply.message so the message located on the stack is left and later is
> >
> >> free()'d in cleanup_event() resulting in the following:
> > Hmm...thanks for reporting this. Which version of audit are you using?
>
> I'm using 2.6.6 but I reproduced the problem and made the change
> against the HEAD of the master branch (using this mirror
> https://github.com/linux-audit/audit-userspace).
OK. Got it. The patch isn't exactly the right fix. While it may hide the
problem, the intent is that people may want to use the enriched format and
send logs to a remote collector. By any chance do you know which buffer on the
stack is getting freed? I'm trying to reproduce this but I thought I'd ask if
you where it is since you have already looked into it.
Thanks,
-Steve
More information about the Linux-audit
mailing list