[PATCH] audit: fix a memleak caused by auditing load module

[PATCH] audit: fix a memleak caused by auditing load module

[Li RongQing]

we should always free context->module.name, since it will be
allocated unconditionally and audit_log_start() can fail with
other reasons, and audit_log_exit maybe not called

unreferenced object 0xffff88af90837d20 (size 8):
  comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
  hex dump (first 8 bytes):
    69 78 67 62 65 00 ff ff                          ixgbe...
  backtrace:
    [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
    [<00000000c1491e61>] load_module+0x64f/0x3850
    [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
    [<0000000000d4a478>] do_syscall_64+0x117/0x400
    [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<000000007dc331dd>] 0xffffffffffffffff

Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
 kernel/auditsc.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..2bd80375f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1186,8 +1186,13 @@ static void show_special(struct audit_context *context, int *call_panic)
 	int i;
 
 	ab = audit_log_start(context, GFP_KERNEL, context->type);
-	if (!ab)
+	if (!ab) {
+		if (context->type == AUDIT_KERN_MODULE) {
+			kfree(context->module.name);
+			context->module.name = NULL;
+		}
 		return;
+	}
 
 	switch (context->type) {
 	case AUDIT_SOCKETCALL: {
@@ -1354,8 +1359,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 	context->personality = tsk->personality;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
-	if (!ab)
+
+	if (!ab) {
+		if (context->type == AUDIT_KERN_MODULE) {
+			kfree(context->module.name);
+			context->module.name = NULL;
+		}
 		return;		/* audit_panic has been called */
+	}
+
 	audit_log_format(ab, "arch=%x syscall=%d",
 			 context->arch, context->major);
 	if (context->personality != PER_LINUX)
@@ -1576,6 +1588,12 @@ void __audit_syscall_exit(int success, long return_code)
 
 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
 		audit_log_exit(context, current);
+	else {
+		if (context->type == AUDIT_KERN_MODULE) {
+			kfree(context->module.name);
+			context->module.name = NULL;
+		}
+	}
 
 	context->in_syscall = 0;
 	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
-- 
2.16.2

Re: [PATCH] audit: fix a memleak caused by auditing load module

[Paul Moore]

On Tue, Mar 5, 2019 at 6:14 AM Li RongQing <lirongqing@baidu.com> wrote:
> we should always free context->module.name, since it will be
> allocated unconditionally and audit_log_start() can fail with
> other reasons, and audit_log_exit maybe not called
>
> unreferenced object 0xffff88af90837d20 (size 8):
>   comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
>   hex dump (first 8 bytes):
>     69 78 67 62 65 00 ff ff                          ixgbe...
>   backtrace:
>     [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
>     [<00000000c1491e61>] load_module+0x64f/0x3850
>     [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
>     [<0000000000d4a478>] do_syscall_64+0x117/0x400
>     [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>     [<000000007dc331dd>] 0xffffffffffffffff
>
> Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
>  kernel/auditsc.c | 22 ++++++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b2d1f043f..2bd80375f 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context *context, int *call_panic)
>         int i;
>
>         ab = audit_log_start(context, GFP_KERNEL, context->type);
> -       if (!ab)
> +       if (!ab) {
> +               if (context->type == AUDIT_KERN_MODULE) {
> +                       kfree(context->module.name);
> +                       context->module.name = NULL;
> +               }
>                 return;
> +       }

Hello.

Thanks for the patch, but I have to ask if you've considered freeing
the module name in audit_free_context()?  That seems like the correct
way to solve this issue.

-Paul

-- 
paul moore
www.paul-moore.com

答复: [PATCH] audit: fix a memleak caused by auditing load module

[Li,Rongqing]

> -----邮件原件-----
> 发件人: Paul Moore [mailto:paul@paul-moore.com]
> 发送时间: 2019年3月5日 22:18
> 收件人: Li,Rongqing <lirongqing@baidu.com>
> 抄送: Eric Paris <eparis@redhat.com>; linux-audit@redhat.com;
> linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] audit: fix a memleak caused by auditing load module
> 
> On Tue, Mar 5, 2019 at 6:14 AM Li RongQing <lirongqing@baidu.com> wrote:
> > we should always free context->module.name, since it will be allocated
> > unconditionally and audit_log_start() can fail with other reasons, and
> > audit_log_exit maybe not called
> >
> > unreferenced object 0xffff88af90837d20 (size 8):
> >   comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
> >   hex dump (first 8 bytes):
> >     69 78 67 62 65 00 ff ff                          ixgbe...
> >   backtrace:
> >     [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
> >     [<00000000c1491e61>] load_module+0x64f/0x3850
> >     [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
> >     [<0000000000d4a478>] do_syscall_64+0x117/0x400
> >     [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >     [<000000007dc331dd>] 0xffffffffffffffff
> >
> > Fixes: ca86cad7380e3 ("audit: log module name on init_module")
> > Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > ---
> >  kernel/auditsc.c | 22 ++++++++++++++++++++--
> >  1 file changed, 20 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c index
> > b2d1f043f..2bd80375f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context
> *context, int *call_panic)
> >         int i;
> >
> >         ab = audit_log_start(context, GFP_KERNEL, context->type);
> > -       if (!ab)
> > +       if (!ab) {
> > +               if (context->type == AUDIT_KERN_MODULE) {
> > +                       kfree(context->module.name);
> > +                       context->module.name = NULL;
> > +               }
> >                 return;
> > +       }
> 
> Hello.
> 
> Thanks for the patch, but I have to ask if you've considered freeing the module
> name in audit_free_context()?  That seems like the correct way to solve this
> issue.
> 

It does not work that move the freeing of module.name in audit_free_context

Since we should free module.name based on context->types is AUDIT_KERN_MODULE, 
but __audit_syscall_exit is called first, and will set context->type to 0,
When audit_free_context is called, context->type is 0, will cause to fail.

I will change this patches as below:

commit ee32ec2354b47a824e5e63d4f46567d577a02824 (HEAD -> master)
Author: Li RongQing <lirongqing@baidu.com>
Date:   Tue Mar 5 15:42:09 2019 +0800

    audit: fix a memleak caused by auditing load module
    
    module.name will be allocated unconditionally when auditing load
    module, and audit_log_start() can fail with other reasons, or
    audit_log_exit maybe not called, caused module.name is released
    
    so always free module.name in audit_free_context
    
    unreferenced object 0xffff88af90837d20 (size 8):
      comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
      hex dump (first 8 bytes):
        69 78 67 62 65 00 ff ff                          ixgbe...
      backtrace:
        [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
        [<00000000c1491e61>] load_module+0x64f/0x3850
        [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
        [<0000000000d4a478>] do_syscall_64+0x117/0x400
        [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000007dc331dd>] 0xffffffffffffffff
    
    Fixes: ca86cad7380e3 ("audit: log module name on init_module")
    Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
    Signed-off-by: Li RongQing <lirongqing@baidu.com>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..07728b07a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -964,6 +964,9 @@ int audit_alloc(struct task_struct *tsk)
 
 static inline void audit_free_context(struct audit_context *context)
 {
+       if (context->type == AUDIT_KERN_MODULE)
+               kfree(context->module.name);
+
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        free_tree_refs(context);
@@ -1282,6 +1285,8 @@ static void show_special(struct audit_context *context, int *call_panic)
                if (context->module.name) {
                        audit_log_untrustedstring(ab, context->module.name);
                        kfree(context->module.name);
+                       context->module.name = NULL;
+                       context->type = 0;
                } else
                        audit_log_format(ab, "(null)");
 
@@ -1583,6 +1588,11 @@ void __audit_syscall_exit(int success, long return_code)
        if (!list_empty(&context->killed_trees))
                audit_kill_trees(&context->killed_trees);
 
+       if (context->type == AUDIT_KERN_MODULE) {
+               kfree(context->module.name);
+               context->module.name = NULL;
+       }
+
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        audit_free_aux(context);


-RongQing 

> -Paul
> 
> --
> paul moore
> www.paul-moore.com