[PATCH][v3] audit: fix a memleak caused by auditing load module
Paul Moore
paul at paul-moore.com
Thu Mar 7 20:43:23 UTC 2019
On Wed, Mar 6, 2019 at 8:16 PM Li RongQing <lirongqing at baidu.com> wrote:
>
> module.name will be allocated unconditionally when auditing load
> module, and audit_log_start() can fail with other reasons, or
> audit_log_exit maybe not called, caused module.name is not freed
>
> so free module.name in audit_free_context and __audit_syscall_exit
>
> unreferenced object 0xffff88af90837d20 (size 8):
> comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
> hex dump (first 8 bytes):
> 69 78 67 62 65 00 ff ff ixgbe...
> backtrace:
> [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
> [<00000000c1491e61>] load_module+0x64f/0x3850
> [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
> [<0000000000d4a478>] do_syscall_64+0x117/0x400
> [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [<000000007dc331dd>] 0xffffffffffffffff
>
> Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> Signed-off-by: Zhang Yu <zhangyu31 at baidu.com>
> Signed-off-by: Li RongQing <lirongqing at baidu.com>
> ---
>
> v3-->v2: create a helper and git rid of free from show_special as Paul suggest
> v2-->v1: free module.name always, not check the return of audit_log_start
>
> kernel/auditsc.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
This looks better, thank you. Once the merge window closes we can
merge this into -next.
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b2d1f043f..001056b4c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -881,6 +881,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
> context->proctitle.len = 0;
> }
>
> +static inline void audit_free_module(struct audit_context *context)
> +{
> + if (context->type == AUDIT_KERN_MODULE) {
> + kfree(context->module.name);
> + context->module.name = NULL;
> + }
> +}
> static inline void audit_free_names(struct audit_context *context)
> {
> struct audit_names *n, *next;
> @@ -964,6 +971,7 @@ int audit_alloc(struct task_struct *tsk)
>
> static inline void audit_free_context(struct audit_context *context)
> {
> + audit_free_module(context);
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> free_tree_refs(context);
> @@ -1281,7 +1289,6 @@ static void show_special(struct audit_context *context, int *call_panic)
> audit_log_format(ab, "name=");
> if (context->module.name) {
> audit_log_untrustedstring(ab, context->module.name);
> - kfree(context->module.name);
> } else
> audit_log_format(ab, "(null)");
>
> @@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
> if (!list_empty(&context->killed_trees))
> audit_kill_trees(&context->killed_trees);
>
> + audit_free_module(context);
> audit_free_names(context);
> unroll_tree_refs(context, NULL, 0);
> audit_free_aux(context);
> --
> 2.16.2
>
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list