In audit_rule_change(), audit_data_to_entry() is firstly invoked to translate the payload data to the kernel's rule representation. In audit_data_to_entry(), depending on the audit field type, an audit tree may be created in audit_make_tree(), which eventually invokes kmalloc() to allocate the tree. Since this tree is a temporary tree, it will be then freed in the following execution, e.g., audit_add_rule() if the message type is AUDIT_ADD_RULE or audit_del_rule() if the message type is AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor AUDIT_DEL_RULE, i.e., the default case of the switch statement, this temporary tree is not freed.
To fix this issue, free the allocated tree in the default case. Signed-off-by: Wenwen Wang <[email protected]> --- kernel/auditfilter.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 63f8b3f..70a34db 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1128,6 +1128,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz) audit_log_rule_change("remove_rule", &entry->rule, !err); break; default: + if (entry->rule.tree) + audit_put_tree(entry->rule.tree); err = -EINVAL; WARN_ON(1); } -- 2.7.4 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
