lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Apr 2019 09:16:13 -0400 From: Richard Guy Briggs <rgb@...hat.com> To: Wenwen Wang <wang6495@....edu> Cc: "moderated list:AUDIT SUBSYSTEM" <linux-audit@...hat.com>, open list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v3] audit: fix a memory leak bug On 2019-04-19 20:49, Wenwen Wang wrote: > In audit_rule_change(), audit_data_to_entry() is firstly invoked to > translate the payload data to the kernel's rule representation. In > audit_data_to_entry(), depending on the audit field type, an audit tree may > be created in audit_make_tree(), which eventually invokes kmalloc() to > allocate the tree. Since this tree is a temporary tree, it will be then > freed in the following execution, e.g., audit_add_rule() if the message > type is AUDIT_ADD_RULE or audit_del_rule() if the message type is > AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor > AUDIT_DEL_RULE, i.e., the default case of the switch statement, this > temporary tree is not freed. > > To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE > or AUDIT_DEL_RULE. > > Signed-off-by: Wenwen Wang <wang6495@....edu> Looks good to me. Reviewed-by: Richard Guy Briggs <rgb@...hat.com> > --- > kernel/auditfilter.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index 63f8b3f..3ac71c4 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz) > int err = 0; > struct audit_entry *entry; > > - entry = audit_data_to_entry(data, datasz); > - if (IS_ERR(entry)) > - return PTR_ERR(entry); > - > switch (type) { > case AUDIT_ADD_RULE: > + entry = audit_data_to_entry(data, datasz); > + if (IS_ERR(entry)) > + return PTR_ERR(entry); > err = audit_add_rule(entry); > audit_log_rule_change("add_rule", &entry->rule, !err); > break; > case AUDIT_DEL_RULE: > + entry = audit_data_to_entry(data, datasz); > + if (IS_ERR(entry)) > + return PTR_ERR(entry); > err = audit_del_rule(entry); > audit_log_rule_change("remove_rule", &entry->rule, !err); > break; > default: > - err = -EINVAL; > WARN_ON(1); > + return -EINVAL; > } > > if (err || type == AUDIT_DEL_RULE) { > -- > 2.7.4 > > -- > Linux-audit mailing list > Linux-audit@...hat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@...hat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists