* [PATCH] Fix audispd crash on ARM 32-Bits @ 2020-12-12 2:10 Javier Tiá 2020-12-12 19:45 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: Javier Tiá @ 2020-12-12 2:10 UTC (permalink / raw) To: linux-audit On ARM 32-Bits, audispd is crashing. Backtrace: (gdb) bt 0 0xb6e20958 in __GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54 1 0xb6e21e58 in __GI_abort () at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2, fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n") at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175 3 0xb6e60108 in malloc_printerr (action=<optimized out>, str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>, have_lock=<optimized out>) at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868 5 0x004234b8 in free_pconfig (config=0x43b398) at /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464 (gdb) f 5 (gdb) p config->path $2 = 0x43b5f0 "" (gdb) p config->name $3 = 0x43b370 "h\264C Be paranoid and overwrite config->path with zero bytes before doing the free(). --- audisp/audispd-pconfig.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c index a8b7878..a13f681 100644 --- a/audisp/audispd-pconfig.c +++ b/audisp/audispd-pconfig.c @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config) close(config->plug_pipe[0]); if (config->plug_pipe[1] >= 0) close(config->plug_pipe[1]); + /* Be paranoid and overwrite config->path with zero bytes before doing the + * free() */ + memset(config->path, 0, strlen(config->path)); free((void *)config->path); + config->path = NULL; free((void *)config->name); } -- 2.29.2 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits 2020-12-12 2:10 [PATCH] Fix audispd crash on ARM 32-Bits Javier Tiá @ 2020-12-12 19:45 ` Steve Grubb 2020-12-12 20:21 ` Tia, Javier 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2020-12-12 19:45 UTC (permalink / raw) To: linux-audit Hello, Thanks for the patch. But if its true that this is against audit-2.4.3, then there is a good chance this is fixed by 2.8.5. There were a number of fixes in this area that fixed various issues with plugins. Best Regards, -Steve On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote: > On ARM 32-Bits, audispd is crashing. Backtrace: > > (gdb) bt > 0 0xb6e20958 in __GI_raise (sig=sig@entry=6) > at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54 > 1 0xb6e21e58 in __GI_abort () > at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118 > 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2, > fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n") > at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175 > 3 0xb6e60108 in malloc_printerr (action=<optimized out>, > str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized > out>, ar_ptr=<optimized out>) > at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007 > 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>, > have_lock=<optimized out>) > at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868 > 5 0x004234b8 in free_pconfig (config=0x43b398) > at > /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6 > 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at > /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464 > > (gdb) f 5 > (gdb) p config->path > $2 = 0x43b5f0 "" > (gdb) p config->name > $3 = 0x43b370 "h\264C > > Be paranoid and overwrite config->path with zero bytes before doing the > free(). > --- > audisp/audispd-pconfig.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c > index a8b7878..a13f681 100644 > --- a/audisp/audispd-pconfig.c > +++ b/audisp/audispd-pconfig.c > @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config) > close(config->plug_pipe[0]); > if (config->plug_pipe[1] >= 0) > close(config->plug_pipe[1]); > + /* Be paranoid and overwrite config->path with zero bytes before doing > the + * free() */ > + memset(config->path, 0, strlen(config->path)); > free((void *)config->path); > + config->path = NULL; > free((void *)config->name); > } -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits 2020-12-12 19:45 ` Steve Grubb @ 2020-12-12 20:21 ` Tia, Javier 2020-12-14 4:34 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: Tia, Javier @ 2020-12-12 20:21 UTC (permalink / raw) To: Steve Grubb, linux-audit@redhat.com Hi Steve, Thank you for your prompt response and for pointing to a solution. Yes, this patch it's applied to audit v2.4.3. It's an embedded device, and at the moment, we're unable to upgrade the audit to a higher audit version. If audit v2.4.y were still maintainable, would you accept this patch for audit v2.4.y? -Javier On 12/12/20 1:45 PM, Steve Grubb wrote: > Hello, > > Thanks for the patch. But if its true that this is against audit-2.4.3, then > there is a good chance this is fixed by 2.8.5. There were a number of fixes in > this area that fixed various issues with plugins. > > Best Regards, > -Steve > > On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote: >> On ARM 32-Bits, audispd is crashing. Backtrace: >> >> (gdb) bt >> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6) >> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54 >> 1 0xb6e21e58 in __GI_abort () >> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118 >> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2, >> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n") >> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175 >> 3 0xb6e60108 in malloc_printerr (action=<optimized out>, >> str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized >> out>, ar_ptr=<optimized out>) >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007 >> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>, >> have_lock=<optimized out>) >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868 >> 5 0x004234b8 in free_pconfig (config=0x43b398) >> at >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6 >> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464 >> >> (gdb) f 5 >> (gdb) p config->path >> $2 = 0x43b5f0 "" >> (gdb) p config->name >> $3 = 0x43b370 "h\264C >> >> Be paranoid and overwrite config->path with zero bytes before doing the >> free(). >> --- >> audisp/audispd-pconfig.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c >> index a8b7878..a13f681 100644 >> --- a/audisp/audispd-pconfig.c >> +++ b/audisp/audispd-pconfig.c >> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config) >> close(config->plug_pipe[0]); >> if (config->plug_pipe[1] >= 0) >> close(config->plug_pipe[1]); >> + /* Be paranoid and overwrite config->path with zero bytes before doing >> the + * free() */ >> + memset(config->path, 0, strlen(config->path)); >> free((void *)config->path); >> + config->path = NULL; >> free((void *)config->name); >> } > > > > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits 2020-12-12 20:21 ` Tia, Javier @ 2020-12-14 4:34 ` Steve Grubb 2020-12-16 14:40 ` Tia, Javier 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2020-12-14 4:34 UTC (permalink / raw) To: linux-audit@redhat.com, Tia, Javier On Saturday, December 12, 2020 3:21:25 PM EST Tia, Javier wrote: > Thank you for your prompt response and for pointing to a solution. > > Yes, this patch it's applied to audit v2.4.3. It's an embedded device, > and at the moment, we're unable to upgrade the audit to a higher audit > version. That's a shame. But if you have a reproducer, it might be worth seeing if its fixed in 2.8.5 and bisecting back to find the official patch if it were fixed. > If audit v2.4.y were still maintainable, It's not > would you accept this patch for audit v2.4.y? That depends. You are zeroing out the path and then setting it to NULL. Setting the pointer to NULL should be enough. If not, setting the first byte to 0 should wipe out the whole string for any string function. But usually this kind of fixup is because it gets used again somewhere by accident. That would be a plugin lifecycle issue and would be the root cause. The plugin lifecycle was reworked sometime after the release you have. So, my guess (and it's pure speculation without a reproducer) is this covers up whatever problem you are seeing. But there may be a deeper issue about a plugin not being fully decommissioned. It's a long way to say, I'd look deeper as to how this goes wrong. -Steve > > -Javier > > On 12/12/20 1:45 PM, Steve Grubb wrote: > > > Hello, > > > > Thanks for the patch. But if its true that this is against audit-2.4.3, > > then there is a good chance this is fixed by 2.8.5. There were a number > > of fixes in this area that fixed various issues with plugins. > > > > Best Regards, > > -Steve > > > > On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote: > > > >> On ARM 32-Bits, audispd is crashing. Backtrace: > >> > >> > >> > >> (gdb) bt > >> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6) > >> > >> at > >> /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54 > >> > >> > >> 1 0xb6e21e58 in __GI_abort () > >> > >> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118 > >> > >> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2, > >> > >> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n") > >> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175 > >> > >> 3 0xb6e60108 in malloc_printerr (action=<optimized out>, > >> > >> str=0xb6f11354 "double free or corruption (fasttop)", > >> ptr=<optimized > >> > >> out>, ar_ptr=<optimized out>) > >> > >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007 > >> > >> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized > >> out>, >> > >> have_lock=<optimized out>) > >> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868 > >> > >> 5 0x004234b8 in free_pconfig (config=0x43b398) > >> > >> at > >> > >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 > >> 6 > >> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at > >> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464 > >> > >> > >> > >> (gdb) f 5 > >> (gdb) p config->path > >> $2 = 0x43b5f0 "" > >> (gdb) p config->name > >> $3 = 0x43b370 "h\264C > >> > >> > >> > >> Be paranoid and overwrite config->path with zero bytes before doing the > >> free(). > >> --- > >> > >> audisp/audispd-pconfig.c | 4 ++++ > >> 1 file changed, 4 insertions(+) > >> > >> > >> > >> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c > >> index a8b7878..a13f681 100644 > >> --- a/audisp/audispd-pconfig.c > >> +++ b/audisp/audispd-pconfig.c > >> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config) > >> > >> close(config->plug_pipe[0]); > >> > >> if (config->plug_pipe[1] >= 0) > >> > >> close(config->plug_pipe[1]); > >> > >> + /* Be paranoid and overwrite config->path with zero bytes before > >> doing > >> the + * free() */ > >> + memset(config->path, 0, strlen(config->path)); > >> > >> free((void *)config->path); > >> > >> + config->path = NULL; > >> > >> free((void *)config->name); > >> > >> } > > > > > > > > > > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix audispd crash on ARM 32-Bits 2020-12-14 4:34 ` Steve Grubb @ 2020-12-16 14:40 ` Tia, Javier 0 siblings, 0 replies; 5+ messages in thread From: Tia, Javier @ 2020-12-16 14:40 UTC (permalink / raw) To: Steve Grubb, linux-audit@redhat.com Hi Steve, Understood. Thank you for all your comments and suggestions. -Javier On 12/13/20 10:34 PM, Steve Grubb wrote: > On Saturday, December 12, 2020 3:21:25 PM EST Tia, Javier wrote: >> Thank you for your prompt response and for pointing to a solution. >> >> Yes, this patch it's applied to audit v2.4.3. It's an embedded device, >> and at the moment, we're unable to upgrade the audit to a higher audit >> version. > > That's a shame. But if you have a reproducer, it might be worth seeing if its > fixed in 2.8.5 and bisecting back to find the official patch if it were fixed. > >> If audit v2.4.y were still maintainable, > > It's not > >> would you accept this patch for audit v2.4.y? > > That depends. You are zeroing out the path and then setting it to NULL. > Setting the pointer to NULL should be enough. If not, setting the first byte > to 0 should wipe out the whole string for any string function. But usually > this kind of fixup is because it gets used again somewhere by accident. That > would be a plugin lifecycle issue and would be the root cause. The plugin > lifecycle was reworked sometime after the release you have. > > So, my guess (and it's pure speculation without a reproducer) is this covers > up whatever problem you are seeing. But there may be a deeper issue about a > plugin not being fully decommissioned. It's a long way to say, I'd look > deeper as to how this goes wrong. > > -Steve > >> >> -Javier >> >> On 12/12/20 1:45 PM, Steve Grubb wrote: >> >>> Hello, >>> >>> Thanks for the patch. But if its true that this is against audit-2.4.3, >>> then > there is a good chance this is fixed by 2.8.5. There were a number >>> of fixes in this area that fixed various issues with plugins. >>> >>> Best Regards, >>> -Steve >>> >>> On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote: >>> >>>> On ARM 32-Bits, audispd is crashing. Backtrace: >>>> >>>> >>>> >>>> (gdb) bt >>>> 0 0xb6e20958 in __GI_raise (sig=sig@entry=6) >>>> >>>> at >>>> /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54 >>>> >>>> >>>> 1 0xb6e21e58 in __GI_abort () >>>> >>>> at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118 >>>> >>>> 2 0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2, >>>> >>>> fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n") >>>> at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175 >>>> >>>> 3 0xb6e60108 in malloc_printerr (action=<optimized out>, >>>> >>>> str=0xb6f11354 "double free or corruption (fasttop)", >>>> ptr=<optimized >>>> >>>> out>, ar_ptr=<optimized out>) >>>> >>>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007 >>>> >>>> 4 0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized >>>> out>, >>> >>>> have_lock=<optimized out>) >>>> at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868 >>>> >>>> 5 0x004234b8 in free_pconfig (config=0x43b398) >>>> >>>> at >>>> >>>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 >>>> 6 >>>> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at >>>> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464 >>>> >>>> >>>> >>>> (gdb) f 5 >>>> (gdb) p config->path >>>> $2 = 0x43b5f0 "" >>>> (gdb) p config->name >>>> $3 = 0x43b370 "h\264C >>>> >>>> >>>> >>>> Be paranoid and overwrite config->path with zero bytes before doing the >>>> free(). >>>> --- >>>> >>>> audisp/audispd-pconfig.c | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> >>>> >>>> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c >>>> index a8b7878..a13f681 100644 >>>> --- a/audisp/audispd-pconfig.c >>>> +++ b/audisp/audispd-pconfig.c >>>> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config) >>>> >>>> close(config->plug_pipe[0]); >>>> >>>> if (config->plug_pipe[1] >= 0) >>>> >>>> close(config->plug_pipe[1]); >>>> >>>> + /* Be paranoid and overwrite config->path with zero bytes before >>>> doing >>>> the + * free() */ >>>> + memset(config->path, 0, strlen(config->path)); >>>> >>>> free((void *)config->path); >>>> >>>> + config->path = NULL; >>>> >>>> free((void *)config->name); >>>> >>>> } >>> >>> >>> >>> >>> > > > > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-16 14:52 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-12 2:10 [PATCH] Fix audispd crash on ARM 32-Bits Javier Tiá 2020-12-12 19:45 ` Steve Grubb 2020-12-12 20:21 ` Tia, Javier 2020-12-14 4:34 ` Steve Grubb 2020-12-16 14:40 ` Tia, Javier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox