[RFC PATCH] audit: fix a race condition with the auditd tracking code

Paul Moore paul at paul-moore.com
Thu Jun 15 20:47:41 UTC 2017 

On Thu, Jun 15, 2017 at 3:24 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2017-06-15 11:28, Paul Moore wrote:
>> From: Paul Moore <paul at paul-moore.com>
>>
>> Originally reported by Adam and Dusty, it appears we have a small
>> race window in kauditd_thread(), as documented in the Fedora BZ:
>>
>>  * https://bugzilla.redhat.com/show_bug.cgi?id=1459326#c35
>>
>>  "This issue is partly due to the read-copy nature of RCU, and
>>   partly due to how we sync the auditd_connection state across
>>   kauditd_thread and the audit control channel.  The kauditd_thread
>>   thread is always running so it can service the record queues and
>>   emit the multicast messages, if it happens to be just past the
>>   "main_queue" label, but before the "if (sk == NULL || ...)"
>>   if-statement which calls auditd_reset() when the new auditd
>>   connection is registered it could end up resetting the auditd
>>   connection, regardless of if it is valid or not.  This is a rather
>>   small window and the variable nature of multi-core scheduling
>>   explains why this is proving rather difficult to reproduce."
>>
>> The fix is to have functions only call auditd_reset() when they
>> believe that the kernel/auditd connection is still valid, e.g.
>> non-NULL, and to have these callers pass their local copy of the
>> auditd_connection pointer to auditd_reset() where it can be compared
>> with the current connection state before resetting.  If the caller
>> has a stale state tracking pointer then the reset is ignored.
>>
>> We also make a small change to kauditd_thread() so that if the
>> kernel/auditd connection is dead we skip the retry queue and send the
>> records straight to the hold queue.  This is necessary as we used to
>> rely on auditd_reset() to occasionally purge the retry queue but we
>> are going to be calling the reset function much less now and we want
>> to make sure the retry queue doesn't grow unbounded.
>>
>> Reported-by: Adam Williamson <awilliam at redhat.com>
>> Reported-by: Dusty Mabe <dustymabe at redhat.com>
>> Signed-off-by: Paul Moore <paul at paul-moore.com>
>
> This looks reasonable.
> Reviewed-by: Richard Guy Briggs <rgb at redhat.com>

Thanks for the review.  Similar to the other patch, I'll merge this
tomorrow if nothing pops up.

(Yes, it's slightly more complicated than the other patch, but it's a
relatively low risk bug-fix so it warrants merging at this late stage
I think.)

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list