| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Apr 2019 12:39:15 -0500
From: Wenwen Wang <wang6495@....edu>
To: Wenwen Wang <wang6495@....edu>
Cc: Paul Moore <paul@...l-moore.com>, Eric Paris <eparis@...hat.com>,
linux-audit@...hat.com (moderated list:AUDIT SUBSYSTEM),
linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] audit: fix a memory leak bug
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, free the allocated tree in the default case.
Signed-off-by: Wenwen Wang <wang6495@....edu>
---
kernel/auditfilter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f..70a34db 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1128,6 +1128,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
audit_log_rule_change("remove_rule", &entry->rule, !err);
break;
default:
+ if (entry->rule.tree)
+ audit_put_tree(entry->rule.tree);
err = -EINVAL;
WARN_ON(1);
}
--
2.7.4
Powered by blists - more mailing lists