lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhQaoWM1nuvm_UeX_np_y0QAenQeWE8XWDUVh1oAOsy9XA@mail.gmail.com>
Date:   Tue, 5 Mar 2019 09:18:01 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Li RongQing <lirongqing@...du.com>
Cc:     Eric Paris <eparis@...hat.com>, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: fix a memleak caused by auditing load module

On Tue, Mar 5, 2019 at 6:14 AM Li RongQing <lirongqing@...du.com> wrote:
> we should always free context->module.name, since it will be
> allocated unconditionally and audit_log_start() can fail with
> other reasons, and audit_log_exit maybe not called
>
> unreferenced object 0xffff88af90837d20 (size 8):
>   comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
>   hex dump (first 8 bytes):
>     69 78 67 62 65 00 ff ff                          ixgbe...
>   backtrace:
>     [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
>     [<00000000c1491e61>] load_module+0x64f/0x3850
>     [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
>     [<0000000000d4a478>] do_syscall_64+0x117/0x400
>     [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>     [<000000007dc331dd>] 0xffffffffffffffff
>
> Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> Signed-off-by: Zhang Yu <zhangyu31@...du.com>
> Signed-off-by: Li RongQing <lirongqing@...du.com>
> ---
>  kernel/auditsc.c | 22 ++++++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b2d1f043f..2bd80375f 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context *context, int *call_panic)
>         int i;
>
>         ab = audit_log_start(context, GFP_KERNEL, context->type);
> -       if (!ab)
> +       if (!ab) {
> +               if (context->type == AUDIT_KERN_MODULE) {
> +                       kfree(context->module.name);
> +                       context->module.name = NULL;
> +               }
>                 return;
> +       }

Hello.

Thanks for the patch, but I have to ask if you've considered freeing
the module name in audit_free_context()?  That seems like the correct
way to solve this issue.

-Paul

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ