From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [userspace PATCH] Prevent free() of stack buffer with NOLOG format Date: Tue, 06 Dec 2016 10:55:05 -0500 Message-ID: <1613616.fOQnUE7urM@x2> References: <20161206000102.18324-1-george.mccollister@gmail.com> <2296915.lVJQe7gzRf@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: George McCollister Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, December 6, 2016 7:57:33 AM EST George McCollister wrote: > On Mon, Dec 5, 2016 at 6:30 PM, Steve Grubb wrote: > > On Monday, December 5, 2016 6:01:02 PM EST George McCollister wrote: > >> When the NOLOG format is used replace_event_msg() doesn't change > >> e->reply.message so the message located on the stack is left and later is > > > >> free()'d in cleanup_event() resulting in the following: > > Hmm...thanks for reporting this. Which version of audit are you using? > > I'm using 2.6.6 but I reproduced the problem and made the change > against the HEAD of the master branch (using this mirror > https://github.com/linux-audit/audit-userspace). OK. Got it. The patch isn't exactly the right fix. While it may hide the problem, the intent is that people may want to use the enriched format and send logs to a remote collector. By any chance do you know which buffer on the stack is getting freed? I'm trying to reproduce this but I thought I'd ask if you where it is since you have already looked into it. Thanks, -Steve