Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>,
	"Tia, Javier" <javier.tia@hpe.com>
Subject: Re: [PATCH] Fix audispd crash on ARM 32-Bits
Date: Sun, 13 Dec 2020 23:34:26 -0500	[thread overview]
Message-ID: <1770439.tdWV9SEqCh@x2> (raw)
In-Reply-To: <f1c0ffd0-fbe0-5233-33e8-059a141ab55b@hpe.com>

On Saturday, December 12, 2020 3:21:25 PM EST Tia, Javier wrote:
> Thank you for your prompt response and for pointing to a solution.
> 
> Yes, this patch it's applied to audit v2.4.3. It's an embedded device, 
> and at the moment, we're unable to upgrade the audit to a higher audit 
> version.

That's a shame. But if you have a reproducer, it might be worth seeing if its 
fixed in 2.8.5 and bisecting back to find the official patch if it were fixed.
 
> If audit v2.4.y were still maintainable, 

It's not

> would you accept this patch for audit v2.4.y?

That depends. You are zeroing out the path and then setting it to NULL. 
Setting the pointer to NULL should be enough. If not, setting the first byte 
to 0 should wipe out the whole string for any string function. But usually 
this kind of fixup is because it gets used again somewhere by accident. That 
would be a plugin lifecycle issue and would be the root cause. The plugin 
lifecycle was reworked sometime after the release you have.

So, my guess (and it's pure speculation without a reproducer) is this covers 
up whatever problem you are seeing. But there may be a deeper issue about a 
plugin not being fully decommissioned. It's a long way to say, I'd look 
deeper as to how this goes wrong.

-Steve

> 
> -Javier
> 
> On 12/12/20 1:45 PM, Steve Grubb wrote:
> 
> > Hello,
> > 
> > Thanks for the patch. But if its true that this is against audit-2.4.3,
> > then
 there is a good chance this is fixed by 2.8.5. There were a number
> > of fixes in this area that fixed various issues with plugins.
> > 
> > Best Regards,
> > -Steve
> > 
> > On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
> > 
> >> On ARM 32-Bits, audispd is crashing. Backtrace:
> >>
> >>
> >>
> >> (gdb) bt
> >> 0  0xb6e20958 in __GI_raise (sig=sig@entry=6)
> >> 
> >>     at
> >>     /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
> >>     
> >> 
> >> 1  0xb6e21e58 in __GI_abort ()
> >> 
> >>     at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
> >> 
> >> 2  0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
> >> 
> >>     fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
> >>     at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
> >> 
> >> 3  0xb6e60108 in malloc_printerr (action=<optimized out>,
> >> 
> >>     str=0xb6f11354 "double free or corruption (fasttop)",
> >>     ptr=<optimized
> >> 
> >> out>, ar_ptr=<optimized out>)
> >> 
> >>     at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
> >> 
> >> 4  0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized
> >> out>,
>> 
> >>     have_lock=<optimized out>)
> >>     at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
> >> 
> >> 5  0x004234b8 in free_pconfig (config=0x43b398)
> >> 
> >>     at
> >> 
> >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513
> >> 6
> >> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
> >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
> >>
> >>
> >>
> >> (gdb) f 5
> >> (gdb) p config->path
> >> $2 = 0x43b5f0 ""
> >> (gdb) p config->name
> >> $3 = 0x43b370 "h\264C
> >>
> >>
> >>
> >> Be paranoid and overwrite config->path with zero bytes before doing the
> >> free().
> >> ---
> >> 
> >>   audisp/audispd-pconfig.c | 4 ++++
> >>   1 file changed, 4 insertions(+)
> >>
> >>
> >>
> >> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
> >> index a8b7878..a13f681 100644
> >> --- a/audisp/audispd-pconfig.c
> >> +++ b/audisp/audispd-pconfig.c
> >> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
> >> 
> >>   		close(config->plug_pipe[0]);
> >>   	
> >>   	if (config->plug_pipe[1] >= 0)
> >>   	
> >>   		close(config->plug_pipe[1]);
> >> 
> >> +	/* Be paranoid and overwrite config->path with zero bytes before
> >> doing
> >> the +	 * free() */
> >> +	memset(config->path, 0, strlen(config->path));
> >> 
> >>   	free((void *)config->path);
> >> 
> >> +	config->path = NULL;
> >> 
> >>   	free((void *)config->name);
> >>   
> >>   }
> > 
> > 
> > 
> > 
> > 





--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


  reply	other threads:[~2020-12-14  4:34 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-12  2:10 [PATCH] Fix audispd crash on ARM 32-Bits Javier Tiá
2020-12-12 19:45 ` Steve Grubb
2020-12-12 20:21   ` Tia, Javier
2020-12-14  4:34     ` Steve Grubb [this message]
2020-12-16 14:40       ` Tia, Javier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1770439.tdWV9SEqCh@x2 \
    --to=sgrubb@redhat.com \
    --cc=javier.tia@hpe.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox