Bug 1622194

Summary: audisp-remote memory leak when using krb5
Product: Red Hat Enterprise Linux 7 Reporter: Rob Rozestraten <admin>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: medium    
Version: 7.5CC: cww, omoris, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.8.5-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:03:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Rozestraten 2018-08-24 16:51:33 UTC 
Description of problem:

audisp-remote heap fills up when krb5 is enabled.

[root(rdosogne)@sitea-db3 ~]# ps auwwxf | grep audisp-remot[e]
root     20519  0.9 39.4 26024224 25912716 ?   S<   Jul10 302:16      \_ /sbin/audisp-remote

7f68637e0000-7f6eb0567000 rw-p 00000000 00:00 0                          [heap]
Size:           26424860 kB
Rss:            26222544 kB
Pss:            26222544 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:  26222544 kB
Referenced:     23867740 kB
Anonymous:      26222544 kB
AnonHugePages:  23259136 kB
Swap:             202212 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd


Version-Release number of selected component (if applicable):

2.8.1-3


How reprducible:

Use audisp-remote with krb5 enabled.


Steps to Reproduce:
1. Setup audispd to use audisp-remote
2. Enable krb5 in audisp-remote.conf
3. Make a lot of audit log entries

Actual results:

audisp-remote heap grows forever (reached 27G on a db box within a couple weeks).


Expected results:

audisp-remote heap not growing uncontrollably.


Additional info:

It appears this is happening from etok.value in recv_token not being free'd (audisp/plugins/remote/audisp-remote.c).  Tested patch where we free this in recv_msg_gss (alongside utok.value) with no further leakage.  Heap stayed at a paltry 184K during rigorous logging tests.

Pull request submitted here: https://github.com/linux-audit/audit-userspace/pull/61
Comment 2 Rob Rozestraten 2018-08-24 17:06:15 UTC 
Before (running ~ 15 seconds):

==15473== 2,631,956 bytes in 34,631 blocks are definitely lost in loss record 185 of 185
==15473==    at 0x4C29C23: malloc (vg_replace_malloc.c:299)
==15473==    by 0x10B69F: recv_token (audisp-remote.c:658)
==15473==    by 0x10B86F: recv_msg_gss (audisp-remote.c:1278)
==15473==    by 0x10CBFC: relay_sock_managed (audisp-remote.c:1500)
==15473==    by 0x10D0AE: relay_sock (audisp-remote.c:1559)
==15473==    by 0x10D0AE: relay_event (audisp-remote.c:1580)
==15473==    by 0x10D0AE: send_one (audisp-remote.c:440)
==15473==    by 0x10AE58: main (audisp-remote.c:599)
==15473==
==15473== LEAK SUMMARY:
==15473==    definitely lost: 2,633,044 bytes in 34,640 blocks
==15473==    indirectly lost: 9,934 bytes in 51 blocks
==15473==      possibly lost: 76 bytes in 1 blocks
==15473==    still reachable: 14,290 bytes in 189 blocks
==15473==         suppressed: 0 bytes in 0 blocks

After (running ~ 30 mins):

==24368== LEAK SUMMARY:
==24368==    definitely lost: 1,088 bytes in 9 blocks
==24368==    indirectly lost: 9,934 bytes in 51 blocks
==24368==      possibly lost: 0 bytes in 0 blocks
==24368==    still reachable: 14,311 bytes in 189 blocks
==24368==         suppressed: 0 bytes in 0 blocks
Comment 3 Steve Grubb 2018-08-24 17:41:06 UTC 
Fixed in upstream commit 22f10a1.
Comment 6 Steve Grubb 2019-03-05 18:02:02 UTC 
audit-2.8.5-1.el7 was built to address this issue.
Comment 10 errata-xmlrpc 2019-08-06 13:03:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2191