From mboxrd@z Thu Jan  1 00:00:00 1970
From: George McCollister <george.mccollister@gmail.com>
Subject: [userspace PATCH] Prevent free() of stack buffer with NOLOG format
Date: Mon,  5 Dec 2016 18:01:02 -0600
Message-ID: <20161206000102.18324-1-george.mccollister@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id uB601frC022719
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 5 Dec 2016 19:01:41 -0500
Received: from mail-io0-f193.google.com (mail-io0-f193.google.com
	[209.85.223.193])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 4ADCDC04D29E
	for <linux-audit@redhat.com>; Tue,  6 Dec 2016 00:01:40 +0000 (UTC)
Received: by mail-io0-f193.google.com with SMTP id r94so3106221ioe.1
	for <linux-audit@redhat.com>; Mon, 05 Dec 2016 16:01:40 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

When the NOLOG format is used replace_event_msg() doesn't change
e->reply.message so the message located on the stack is left and later is
free()'d in cleanup_event() resulting in the following:

*** Error in `auditd': free(): invalid pointer: 0x800bef7c ***
======= Backtrace: =========
/lib/libc.so.6(+0x676ba)[0xb752b6ba]
/lib/libc.so.6(+0x6e227)[0xb7532227]
/lib/libc.so.6(+0x6e9e6)[0xb75329e6]
auditd(+0x73df)[0x800a43df]
auditd(+0x4975)[0x800a1975]
auditd(+0x4a9c)[0x800a1a9c]
auditd(main+0x931)[0x800a0c21]
/lib/libc.so.6(__libc_start_main+0xf6)[0xb74dc1a6]
auditd(+0x44c4)[0x800a14c4]
======= Memory map: ========
...

This patch changes the log format to RAW when NOLOG format is detected
so that replace_event_msg() will replace e->reply.message with a message
that can be free()'d by cleanup_event().

Signed-off-by: George McCollister <george.mccollister@gmail.com>
---
 src/auditd-config.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/auditd-config.c b/src/auditd-config.c
index 584f079..bc06b1c 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -839,6 +839,7 @@ static int log_format_parser(struct nv_pair *nv, int line,
 		if (strcasecmp(nv->value, log_formats[i].name) == 0) {
 			config->log_format = log_formats[i].option;
 			if (config->log_format == LF_NOLOG) {
+				config->log_format = LF_RAW;
 				audit_msg(LOG_WARNING,
 				    "The NOLOG option to log_format is deprecated. Please use the write_logs option.");
 				if (config->write_logs != 0)
-- 
2.9.3