[PATCH][v3] audit: fix a memleak caused by auditing load module

Thu Mar 7 20:43:23 UTC 2019

On Wed, Mar 6, 2019 at 8:16 PM Li RongQing <lirongqing at baidu.com> wrote:
>
> module.name will be allocated unconditionally when auditing load
> module, and audit_log_start() can fail with other reasons, or
> audit_log_exit maybe not called, caused module.name is not freed
>
> so free module.name in audit_free_context and __audit_syscall_exit
>
> unreferenced object 0xffff88af90837d20 (size 8):
>   comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
>   hex dump (first 8 bytes):
>     69 78 67 62 65 00 ff ff                          ixgbe...
>   backtrace:
>     [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
>     [<00000000c1491e61>] load_module+0x64f/0x3850
>     [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
>     [<0000000000d4a478>] do_syscall_64+0x117/0x400
>     [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>     [<000000007dc331dd>] 0xffffffffffffffff
>
> Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> Signed-off-by: Zhang Yu <zhangyu31 at baidu.com>
> Signed-off-by: Li RongQing <lirongqing at baidu.com>
> ---
>
> v3-->v2: create a helper and git rid of free from show_special as Paul suggest
> v2-->v1: free module.name always, not check the return of audit_log_start
>
>  kernel/auditsc.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)

This looks better, thank you.  Once the merge window closes we can
merge this into -next.

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b2d1f043f..001056b4c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -881,6 +881,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
>         context->proctitle.len = 0;
>  }
>
> +static inline void audit_free_module(struct audit_context *context)
> +{
> +       if (context->type == AUDIT_KERN_MODULE) {
> +               kfree(context->module.name);
> +               context->module.name = NULL;
> +       }
> +}
>  static inline void audit_free_names(struct audit_context *context)
>  {
>         struct audit_names *n, *next;
> @@ -964,6 +971,7 @@ int audit_alloc(struct task_struct *tsk)
>
>  static inline void audit_free_context(struct audit_context *context)
>  {
> +       audit_free_module(context);
>         audit_free_names(context);
>         unroll_tree_refs(context, NULL, 0);
>         free_tree_refs(context);
> @@ -1281,7 +1289,6 @@ static void show_special(struct audit_context *context, int *call_panic)
>                 audit_log_format(ab, "name=");
>                 if (context->module.name) {
>                         audit_log_untrustedstring(ab, context->module.name);
> -                       kfree(context->module.name);
>                 } else
>                         audit_log_format(ab, "(null)");
>
> @@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
>         if (!list_empty(&context->killed_trees))
>                 audit_kill_trees(&context->killed_trees);
>
> +       audit_free_module(context);
>         audit_free_names(context);
>         unroll_tree_refs(context, NULL, 0);
>         audit_free_aux(context);
> --
> 2.16.2
>

-- 
paul moore
www.paul-moore.com