[userspace PATCH] Prevent free() of stack buffer with NOLOG format
Steve Grubb
sgrubb at redhat.com
Wed Dec 7 14:39:06 UTC 2016
On Tuesday, December 6, 2016 10:55:05 AM EST Steve Grubb wrote:
> On Tuesday, December 6, 2016 7:57:33 AM EST George McCollister wrote:
> > On Mon, Dec 5, 2016 at 6:30 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > > On Monday, December 5, 2016 6:01:02 PM EST George McCollister wrote:
> > >> When the NOLOG format is used replace_event_msg() doesn't change
> > >> e->reply.message so the message located on the stack is left and later
> > >> is
> > >
> > >> free()'d in cleanup_event() resulting in the following:
> > > Hmm...thanks for reporting this. Which version of audit are you using?
> >
> > I'm using 2.6.6 but I reproduced the problem and made the change
> > against the HEAD of the master branch (using this mirror
> > https://github.com/linux-audit/audit-userspace).
>
> OK. Got it. The patch isn't exactly the right fix. While it may hide the
> problem, the intent is that people may want to use the enriched format and
> send logs to a remote collector. By any chance do you know which buffer on
> the stack is getting freed? I'm trying to reproduce this but I thought I'd
> ask if you where it is since you have already looked into it.
I committed the following patch to fix this:
https://fedorahosted.org/audit/changeset/1421
Thanks for reporting the problem!
-Steve
More information about the Linux-audit
mailing list