From mboxrd@z Thu Jan 1 00:00:00 1970 From: Shu Wang Subject: Re: [PATCH] audit: fix memleak in auditd_send_unicast_skb. Date: Tue, 18 Jul 2017 20:10:31 -0400 (EDT) Message-ID: <1092391733.28508271.1500423031067.JavaMail.zimbra@redhat.com> References: <1500359844-27882-1-git-send-email-shuwang@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Paul Moore Cc: Eric Paris , linux-audit@redhat.com, linux-kernel@vger.kernel.org, liwang@redhat.com, chuhu@redhat.com List-Id: linux-audit@redhat.com ----- Original Message ----- > From: "Paul Moore" > To: shuwang@redhat.com > Cc: "Eric Paris" , linux-audit@redhat.com, linux-kernel@vger.kernel.org, liwang@redhat.com, > chuhu@redhat.com > Sent: Tuesday, July 18, 2017 8:21:05 PM > Subject: Re: [PATCH] audit: fix memleak in auditd_send_unicast_skb. > > On Tue, Jul 18, 2017 at 2:37 AM, wrote: > > From: Shu Wang > > > > Found this issue by kmemleak report, auditd_send_unicast_skb > > did not free skb if rcu_dereference(auditd_conn) returns null. > > > > unreferenced object 0xffff88082568ce00 (size 256): > > comm "auditd", pid 1119, jiffies 4294708499 > > backtrace: > > [] kmemleak_alloc+0x4a/0xa0 > > [] kmem_cache_alloc_node+0xcc/0x210 > > [] __alloc_skb+0x5d/0x290 > > [] audit_make_reply+0x54/0xd0 > > [] audit_receive_msg+0x967/0xd70 > > ---------------- > > (gdb) list *audit_receive_msg+0x967 > > 0xffffffff8113dff7 is in audit_receive_msg (kernel/audit.c:1133). > > 1132 skb = audit_make_reply(0, AUDIT_REPLACE, 0, > > 0, &pvnr, sizeof(pvnr)); > > --------------- > > [] audit_receive+0x52/0xa0 > > [] netlink_unicast+0x181/0x240 > > [] netlink_sendmsg+0x2c2/0x3b0 > > [] sock_sendmsg+0x38/0x50 > > [] SYSC_sendto+0x102/0x190 > > [] SyS_sendto+0xe/0x10 > > [] entry_SYSCALL_64_fastpath+0x1a/0xa5 > > [] 0xffffffffffffffff > > > > Signed-off-by: Shu Wang > > --- > > kernel/audit.c | 1 + > > 1 file changed, 1 insertion(+) > > Hello and thank you for the problem report, it is appreciated. This > was also reported by Masami Ichikawa who provided a patch with the > correct fix (your patch does not catch any error conditions from > netlink_unicast()). netlink_unicast has it's error handling, and is responsible for releasing skb. so the Masami Ichikawa's fix may cause double free problems. 1274 int netlink_unicast(struct sock *ssk, struct sk_buff *skb, 1275 >--->--- u32 portid, int nonblock) 1276 { ...... 1285 >---sk = netlink_getsockbyportid(ssk, portid); 1286 >---if (IS_ERR(sk)) { 1287 >--->---kfree_skb(skb); 1288 >--->---return PTR_ERR(sk); 1289 >---} ...... 1293 >---if (sk_filter(sk, skb)) { 1294 >--->---err = skb->len; 1295 >--->---kfree_skb(skb); 1296 >--->---sock_put(sk); 1297 >--->---return err; 1298 >---} > > * https://www.redhat.com/archives/linux-audit/2017-July/msg00073.html > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 833267b..6dd5569 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -641,6 +641,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) > > ac = rcu_dereference(auditd_conn); > > if (!ac) { > > rcu_read_unlock(); > > + kfree_skb(skb); > > rc = -ECONNREFUSED; > > goto err; > > } > > -- > > 2.5.0 > > -- > paul moore > www.paul-moore.com >