Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-06-19 15:26:55 +0200
committerTakashi Iwai <tiwai@suse.de>2019-06-19 15:26:55 +0200
commit20dd9ba7c58bd357bd99bf53d6bbd6adac2d9a19 (patch)
treefaadd60e656db2e4810cffd9a422170d99bf879d
parent3ddf01172af9c7956cef2590dffde1d83a734cae (diff)
audit: fix a memory leak bug (bsc#1051510).
-rw-r--r--patches.fixes/audit-fix-a-memory-leak-bug.patch68
-rw-r--r--series.conf1
2 files changed, 69 insertions, 0 deletions
diff --git a/patches.fixes/audit-fix-a-memory-leak-bug.patch b/patches.fixes/audit-fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..a17fe82c98
--- /dev/null
+++ b/patches.fixes/audit-fix-a-memory-leak-bug.patch
@@ -0,0 +1,68 @@
+From 70c4cf17e445264453bc5323db3e50aa0ac9e81f Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 19 Apr 2019 20:49:29 -0500
+Subject: [PATCH] audit: fix a memory leak bug
+Git-commit: 70c4cf17e445264453bc5323db3e50aa0ac9e81f
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In audit_rule_change(), audit_data_to_entry() is firstly invoked to
+translate the payload data to the kernel's rule representation. In
+audit_data_to_entry(), depending on the audit field type, an audit tree may
+be created in audit_make_tree(), which eventually invokes kmalloc() to
+allocate the tree. Since this tree is a temporary tree, it will be then
+freed in the following execution, e.g., audit_add_rule() if the message
+type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
+AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
+AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
+temporary tree is not freed.
+
+To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
+or AUDIT_DEL_RULE.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ kernel/auditfilter.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 2c3c2f349b23..1bc6410413e6 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
+ int err = 0;
+ struct audit_entry *entry;
+
+- entry = audit_data_to_entry(data, datasz);
+- if (IS_ERR(entry))
+- return PTR_ERR(entry);
+-
+ switch (type) {
+ case AUDIT_ADD_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_add_rule(entry);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
+ break;
+ case AUDIT_DEL_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_del_rule(entry);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
+ break;
+ default:
+- err = -EINVAL;
+ WARN_ON(1);
++ return -EINVAL;
+ }
+
+ if (err || type == AUDIT_DEL_RULE) {
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index c56a3f8b4a..d40dcb5d0b 100644
--- a/series.conf
+++ b/series.conf
@@ -22249,6 +22249,7 @@
patches.fixes/block-fix-use-after-free-on-gendisk.patch
patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
patches.fixes/audit-fix-a-memleak-caused-by-auditing-load-module.patch
+ patches.fixes/audit-fix-a-memory-leak-bug.patch
patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch
patches.fixes/jbd2-check-superblock-mapped-prior-to-committing.patch
patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch