Bug 160874 - audit: use after free in auditfs_attach_wdata()
Summary: audit: use after free in auditfs_attach_wdata()
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: David Woodhouse
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 113381
TreeView+ depends on / blocked
 
Reported: 2005-06-17 21:41 UTC by Steve Grubb
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: 2.6.9-16
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-12-08 15:31:50 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Steve Grubb 2005-06-17 21:41:13 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
Kernel Oops recorded:

Jun 17 17:09:05 localhost kernel: Unable to handle kernel paging request at virtual address 6b6b6b6b
Jun 17 17:09:05 localhost kernel:  printing eip:
Jun 17 17:09:05 localhost kernel: c0142bb2
Jun 17 17:09:05 localhost kernel: *pde = 00000000
Jun 17 17:09:05 localhost kernel: Oops: 0000 [#1]
Jun 17 17:09:05 localhost kernel: Modules linked in: parport_pc lp parport autofs4 i2c_dev i2c_core ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button battery ac md5 ipv6 uhci_hcd snd_emu10k1 snd_rawmidi snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_seq_device snd_ac97_codec snd_page_alloc snd_util_mem snd_hwdep snd soundcore 3c59x floppy ext3 jbd Jun 17 17:09:05 localhost kernel: CPU:    0
Jun 17 17:09:05 localhost kernel: EIP:    0060:[<c0142bb2>]    Not tainted VLI
Jun 17 17:09:05 localhost kernel: EFLAGS: 00210202   (2.6.9-11.EL.audit.59)
Jun 17 17:09:05 localhost kernel: EIP is at auditfs_attach_wdata+0x70/0x161
Jun 17 17:09:05 localhost kernel: eax: 00000000   ebx: 6b6b6b6b   ecx: d9caf22c   edx: dff75630 Jun 17 17:09:05 localhost kernel: esi: dff75628   edi: d9caf22c   ebp: dfbcafb0   esp: da209e88 Jun 17 17:09:05 localhost kernel: ds: 007b   es: 007b   ss: 0068
Jun 17 17:09:05 localhost kernel: Process auditctl (pid: 18145, threadinfo=da209000 task=dd5d9990) Jun 17 17:09:05 localhost kernel: Stack: df8202bc 00000001 ee893408 ddccb804 ee893408 00000001 00000000 c0144da3 Jun 17 17:09:05 localhost kernel:        fffffff5 ee893408 00000001 da209f58 c01755dc fffffff5 ee893408 0024a603 Jun 17 17:09:05 localhost kernel:        da209f58 c0175d9f dc6b3008 dfef5c70 c0156922 00000000 00000101 00000000 Jun 17 17:09:05 localhost kernel: Call Trace:
Jun 17 17:09:05 localhost kernel:  [<c01755dc>] permission+0xf/0x4f
Jun 17 17:09:05 localhost kernel:  [<c0175d9f>] link_path_walk+0x12c/0xd98
Jun 17 17:09:05 localhost kernel:  [<c0156922>] handle_mm_fault+0xd5/0x1fd
Jun 17 17:09:05 localhost kernel:  [<c0176c85>] path_lookup+0xfe/0x12c
Jun 17 17:09:05 localhost kernel:  [<c0177376>] open_namei+0x99/0x57e
Jun 17 17:09:05 localhost kernel:  [<c0165b09>] filp_open+0x23/0x3c
Jun 17 17:09:05 localhost kernel:  [<c0305ac8>] __cond_resched+0x14/0x3b
Jun 17 17:09:05 localhost kernel:  [<c01ddf32>] direct_strncpy_from_user+0x3e/0x5d
Jun 17 17:09:05 localhost kernel:  [<c0165fe0>] sys_open+0x31/0x7d
Jun 17 17:09:05 localhost kernel:  [<c0307323>] syscall_call+0x7/0xb
Jun 17 17:09:05 localhost kernel: Code: 7d 34 00 75 19 8b 03 b9 98 59 35 c0 89 ea e8 83 ec ff ff 85 c0 74 07 c7 45 34 01 00 00 00 c7 46 08 00 00 00 00 8b 1f 85 db 74 60 <8b> 03 0f 18 00 90 8d 43 ec ba d0 00 00 00 89 04 24 a1 84 60 35
Jun 17 17:09:05 localhost kernel:  <0>Fatal exception: panic in 5 seconds
Jun 17 17:09:05 localhost kernel: Slab corruption: start=df8202bc, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: Prev obj: start=df820280, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: Next obj: start=df8202f8, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

Version-Release number of selected component (if applicable):
2.6.9-11.EL.audit.59

How reproducible:
Sometimes

Steps to Reproduce:
1. Run fs-torture script
2. Run enabler script
3. Use computer

Additional info:

gdb says this: 
(gdb) list *0xc0142bb2
0xc0142bb2 is in auditfs_attach_wdata (include/asm/processor.h:659).
654     include/asm/processor.h: No such file or directory.
        in include/asm/processor.h
Comment 1 Steve Grubb 2005-06-18 12:18:53 UTC 
This problem still exists in the .60 kernel.
Comment 2 David Woodhouse 2005-06-19 23:49:21 UTC 
A potential fix for this problem is included in the audit.62 build.
Comment 4 Steve Grubb 2005-12-19 19:10:50 UTC 
David, what is the status of this bug? I'm thinking this sb closed. Thanks.
Comment 5 David Woodhouse 2005-12-19 21:03:55 UTC 
Yes, I'm fairly sure you're right.
Note You need to log in before you can comment on or make changes to this bug.