Re: [PATCH][v3] audit: fix a memleak caused by auditing load module
On Wed, Mar 6, 2019 at 8:16 PM Li RongQing <lirongqing(a)baidu.com> wrote:
module.name will be allocated unconditionally when auditing load
module, and audit_log_start() can fail with other reasons, or
audit_log_exit maybe not called, caused module.name is not freed
so free module.name in audit_free_context and __audit_syscall_exit
unreferenced object 0xffff88af90837d20 (size 8):
comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
hex dump (first 8 bytes):
69 78 67 62 65 00 ff ff ixgbe...
backtrace:
[<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
[<00000000c1491e61>] load_module+0x64f/0x3850
[<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
[<0000000000d4a478>] do_syscall_64+0x117/0x400
[<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<000000007dc331dd>] 0xffffffffffffffff
Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com>
Signed-off-by: Li RongQing <lirongqing(a)baidu.com>
---
v3-->v2: create a helper and git rid of free from show_special as Paul suggest
v2-->v1: free module.name always, not check the return of audit_log_start
kernel/auditsc.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
This looks better, thank you. Once the merge window closes we can
merge this into -next.
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..001056b4c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -881,6 +881,13 @@ static inline void audit_proctitle_free(struct audit_context
*context)
context->proctitle.len = 0;
}
+static inline void audit_free_module(struct audit_context *context)
+{
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
+}
static inline void audit_free_names(struct audit_context *context)
{
struct audit_names *n, *next;
@@ -964,6 +971,7 @@ int audit_alloc(struct task_struct *tsk)
static inline void audit_free_context(struct audit_context *context)
{
+ audit_free_module(context);
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
free_tree_refs(context);
@@ -1281,7 +1289,6 @@ static void show_special(struct audit_context *context, int
*call_panic)
audit_log_format(ab, "name=");
if (context->module.name) {
audit_log_untrustedstring(ab, context->module.name);
- kfree(context->module.name);
} else
audit_log_format(ab, "(null)");
@@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
+ audit_free_module(context);
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
audit_free_aux(context);
--
2.16.2
--
paul moore
www.paul-moore.com