Re: [PATCH] Fix audispd crash on ARM 32-Bits

Sat, 12 Dec 2020 11:46:14 -0800 

Hello,

Thanks for the patch. But if its true that this is against audit-2.4.3, then 
there is a good chance this is fixed by 2.8.5. There were a number of fixes in 
this area that fixed various issues with plugins.

Best Regards,
-Steve

On Friday, December 11, 2020 9:10:50 PM EST Javier Tiá wrote:
> On ARM 32-Bits, audispd is crashing. Backtrace:
> 
> (gdb) bt
> 0  0xb6e20958 in __GI_raise (sig=sig@entry=6)
>    at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
> 1  0xb6e21e58 in __GI_abort ()
>    at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:118
> 2  0xb6e59d64 in __libc_message (do_abort=do_abort@entry=2,
>    fmt=0xb6f1119c "*** Error in `%s': %s: 0x%s ***\n")
>    at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
> 3  0xb6e60108 in malloc_printerr (action=<optimized out>,
>    str=0xb6f11354 "double free or corruption (fasttop)", ptr=<optimized
> out>, ar_ptr=<optimized out>)
>    at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
> 4  0xb6e60a98 in _int_free (av=0xb6f2d79c <main_arena>, p=<optimized out>,
>    have_lock=<optimized out>)
>    at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
> 5  0x004234b8 in free_pconfig (config=0x43b398)
>    at
> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd-pconfig.c:513 6 
> 0x00421244 in main (argc=<optimized out>, argv=<optimized out>) at
> /usr/src/debug/audit/2.4.3-r8/audit-2.4.3/audisp/audispd.c:464
> 
> (gdb) f 5
> (gdb) p config->path
> $2 = 0x43b5f0 ""
> (gdb) p config->name
> $3 = 0x43b370 "h\264C
> 
> Be paranoid and overwrite config->path with zero bytes before doing the
> free().
> ---
>  audisp/audispd-pconfig.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/audisp/audispd-pconfig.c b/audisp/audispd-pconfig.c
> index a8b7878..a13f681 100644
> --- a/audisp/audispd-pconfig.c
> +++ b/audisp/audispd-pconfig.c
> @@ -510,7 +510,11 @@ void free_pconfig(plugin_conf_t *config)
>               close(config->plug_pipe[0]);
>       if (config->plug_pipe[1] >= 0)
>               close(config->plug_pipe[1]);
> +     /* Be paranoid and overwrite config->path with zero bytes before doing
> the +  * free() */
> +     memset(config->path, 0, strlen(config->path));
>       free((void *)config->path);
> +     config->path = NULL;
>       free((void *)config->name);
>  }





--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to