Re: [PATCH] kernel: auditfilter: looping issue, memory leak if has 2 or more AUDIT_FILTERKEYs

[Chen Gang <gang.chen@asianux.com>]

On 2013年04月12日 17:42, Chen Gang wrote:
> On 2013年04月11日 12:10, Chen Gang wrote:
>> On 2013年04月11日 05:19, Eric Paris wrote:
>>> ----- Original Message -----
>>>
>>>>>   b. has an new issue for AUDIT_DIR:
>>>>>        after AUDIT_DIR succeed, it will set rule->tree.
>>>>>        next, the other case fail, then will call audit_free_rule.
>>>>>        but audit_free_rule will not free rule->tree.
>>> Definitely a couple of leaks here...
>>>
>>> I'm seeing leaks on size 8, 64, and 128.
>>>
>>> Al, what do you think?  Should I be calling audit_put_tree() in the error case if entry->tree != NULL?  The audit trees are some of the most complex code in the kernel I think.
>>>
>>>

  I am just testing about it with:

---
while(1)
    auditctl -a exit,always -w /etc -F auid=-1
---

  under fedora 17, we need modify the auditctl source code:
    a. let -w /etc can pass auditctl checking.
    b. let loop infinitely in a process (if process quit, will free mem)
    c. need fix a bug for auditctl (under Fedora 17)
         audit_open may open 2 times.
         when loop infinitely, it will cause resource handle leak.

  I have checked (by insert printf in kernel/auditfilter.c):
    after modify the auditct, the work flow is just what we want to be.
      (will alloc watch, alloc tree, then failure occurs)


  I guess, we need 2-3 days to get a test result.


  welcome any suggestions and completions.

  thanks.



> 
>   it seems, your way is the only executable way (if not change code much).
>   what my original idea is incorrect.
> 
>     we need add related code at failure process area in audit_data_to_entry.
>     and another functions need not add these code (should not add).
>     'watch' also need be processed, since audit_to_watch let ref count = 2.
>       (it just like the function audit_del_rule has done)
> 
>   please help check thanks.
> 
>   :-)
> 
> 
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 81f63f9..f5327ce 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -594,6 +594,10 @@ exit_nofree:
>  	return entry;
>  
>  exit_free:
> +	if (entry->rule.watch)
> +		audit_put_watch(entry->rule.watch); /* matches initial get */
> +	if (entry->rule.tree)
> +		audit_put_tree(entry->rule.tree); /* that's the temporary one */
>  	audit_free_rule(entry);
>  	return ERR_PTR(err);
>  }
> 
> 
> 
>>
>>   can we add it in audit_free_rule ?
>>
>>   maybe like this:
>>
>> @@ -75,6 +75,8 @@ static inline void audit_free_rule(struct audit_entry *e)
>>  	/* some rules don't have associated watches */
>>  	if (erule->watch)
>>  		audit_put_watch(erule->watch);
>> +	if (erule->tree)
>> +		audit_put_tree(erule->tree);
>>  	if (erule->fields)
>>  		for (i = 0; i < erule->field_count; i++) {
>>  			struct audit_field *f = &erule->fields[i];
>>
>>
>>   thanks.
>>
>>   :-)
>>
> 
> 


-- 
Chen Gang

Asianux Corporation