Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem: KASAN: use-after-free in audit_list_rules_send Version-Release number of selected component (if applicable): kernel-5.7.0-0.rc4.1.elrdy.x86_64+debug How reproducible: Always Steps to Reproduce: 1. Install kernel-5.7.0-0.rc4.1.elrdy.x86_64+debug 2. Add the below audit rules and reboot ~~~ -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issuessh -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/hostname -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale -a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -w /etc/sudoers -p wa -k actions -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k actions -w /etc/sudoers.d/ -p wa -k scope find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -w /bin/kmod -p x -k auoms -k kernelmodules -w /var/log/audit -p wxa -k audittampering -k auoms -w /etc/audit -p wxa -k audittampering -k auoms -w /etc/passwd -p x -k auoms -k usergroup -w /etc/group -p x -k auoms -k usergroup -w /etc/pam.d -p wxa -k auoms -k pam -a always,exit -F arch=b32 -S execve,execveat -F key=auoms -a always,exit -F arch=b64 -S execve,execveat -F key=auoms ~~~ 3. Run `auditctl -l` Actual results: The below KASAN use-after-free in audit_list_rules_send() is logged in dmesg ~~~ [ 165.678493] ================================================================== [ 165.681390] BUG: KASAN: use-after-free in audit_list_rules_send+0x9ed/0xea0 [ 165.684129] Read of size 16 at addr ffff888107628c60 by task auditctl/1469 [ 165.686834] [ 165.688492] CPU: 0 PID: 1469 Comm: auditctl Tainted: G ---------h--- 5.7.0-0.rc4.1.elrdy.x86_64+debug #1 [ 165.693275] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 165.698015] Call Trace: [ 165.699833] dump_stack+0x96/0xe0 [ 165.701822] ? audit_list_rules_send+0x9ed/0xea0 [ 165.704049] print_address_description.constprop.6+0x1b/0x220 [ 165.706460] ? audit_list_rules_send+0x9ed/0xea0 [ 165.708618] ? audit_list_rules_send+0x9ed/0xea0 [ 165.710731] __kasan_report.cold.9+0x37/0x92 [ 165.712774] ? kasan_poison_shadow+0x30/0x30 [ 165.714822] ? audit_list_rules_send+0x9ed/0xea0 [ 165.716955] kasan_report+0x32/0x50 [ 165.718890] check_memory_region+0x198/0x200 [ 165.720948] memcpy+0x1f/0x60 [ 165.722707] audit_list_rules_send+0x9ed/0xea0 [ 165.724734] audit_receive_msg+0xd35/0x1fa0 [ 165.726655] ? lock_contended+0xd30/0xd30 [ 165.728543] ? audit_log_feature_change.part.17+0x130/0x130 [ 165.730757] ? __mutex_lock+0xe42/0x13f0 [ 165.732632] ? sched_clock+0x5/0x10 [ 165.734441] ? sched_clock_cpu+0x18/0x170 [ 165.736329] ? audit_receive+0x72/0x200 [ 165.738165] ? lock_acquire+0x1a8/0x620 [ 165.740067] ? mutex_trylock+0x2a0/0x2a0 [ 165.741908] ? sched_clock+0x5/0x10 [ 165.743656] ? sched_clock_cpu+0x18/0x170 [ 165.745501] ? find_held_lock+0x3a/0x1c0 [ 165.747349] ? lock_downgrade+0x720/0x720 [ 165.749187] ? rcu_is_watching+0x2c/0x80 [ 165.751050] audit_receive+0xe3/0x200 [ 165.752831] netlink_unicast+0x439/0x630 [ 165.754639] ? netlink_attachskb+0x6f0/0x6f0 [ 165.756484] ? netlink_autobind.isra.35+0x136/0x240 [ 165.758419] ? netlink_autobind.isra.35+0xbc/0x240 [ 165.760315] ? __check_object_size+0x275/0x324 [ 165.762125] netlink_sendmsg+0x719/0xc60 [ 165.763807] ? netlink_unicast+0x630/0x630 [ 165.765482] ? kmem_cache_alloc_trace+0x125/0x320 [ 165.767259] ? __audit_sockaddr+0xec/0x170 [ 165.768905] ? netlink_unicast+0x630/0x630 [ 165.770563] sock_sendmsg+0xe2/0x110 [ 165.772104] __sys_sendto+0x1de/0x2c0 [ 165.773647] ? __ia32_sys_getpeername+0xb0/0xb0 [ 165.775360] ? lock_downgrade+0x720/0x720 [ 165.776979] ? rcu_read_unlock+0x40/0x40 [ 165.778617] ? syscall_trace_enter+0x549/0xcd0 [ 165.780320] ? mark_held_locks+0xb7/0x120 [ 165.781936] ? syscall_slow_exit_work+0x540/0x540 [ 165.783691] ? handle_mm_fault+0x244/0x6c0 [ 165.785320] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 165.787055] __x64_sys_sendto+0xdd/0x1b0 [ 165.788659] do_syscall_64+0x9f/0x4f0 [ 165.790248] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 165.792067] RIP: 0033:0x7fb93b775d68 [ 165.793597] Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 8b 05 e6 d6 20 00 41 89 ca 85 c0 75 17 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 78 c3 0f 1f 80 00 00 00 00 41 57 4d 89 c7 41 [ 165.799848] RSP: 002b:00007ffcb2aef418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 165.802303] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007fb93b775d68 [ 165.804698] RDX: 0000000000000010 RSI: 00007ffcb2aef450 RDI: 0000000000000003 [ 165.807107] RBP: 0000000000000003 R08: 00007ffcb2aef43c R09: 000000000000000c [ 165.809515] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcb2aef450 [ 165.811932] R13: 00007ffcb2aef43c R14: 0000000000000001 R15: 0000000000000000 [ 165.814391] [ 165.815758] Allocated by task 1387: [ 165.817510] save_stack+0x19/0x40 [ 165.819223] __kasan_kmalloc.constprop.11+0xc1/0xd0 [ 165.821249] kmem_cache_alloc_trace+0x125/0x320 [ 165.823211] kernfs_fop_open+0x81b/0xc60 [ 165.825057] do_dentry_open+0x3f0/0xf40 [ 165.826892] path_openat+0xd53/0x2210 [ 165.828689] do_filp_open+0x176/0x250 [ 165.830496] do_sys_openat2+0x2e1/0x500 [ 165.832317] do_sys_open+0x8a/0xd0 [ 165.834046] do_syscall_64+0x9f/0x4f0 [ 165.835815] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 165.837855] [ 165.839216] Freed by task 1387: [ 165.840921] save_stack+0x19/0x40 [ 165.842627] __kasan_slab_free+0x125/0x170 [ 165.844484] slab_free_freelist_hook+0x57/0x180 [ 165.846428] kfree+0xd6/0x2d0 [ 165.848075] kernfs_fop_release+0xca/0x170 [ 165.849946] __fput+0x2b1/0x7b0 [ 165.851625] task_work_run+0xd3/0x170 [ 165.853395] exit_to_usermode_loop+0x143/0x160 [ 165.855318] do_syscall_64+0x3d5/0x4f0 [ 165.857106] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 165.859153] [ 165.860533] The buggy address belongs to the object at ffff888107628c00 [ 165.860533] which belongs to the cache kmalloc-128 of size 128 [ 165.865053] The buggy address is located 96 bytes inside of [ 165.865053] 128-byte region [ffff888107628c00, ffff888107628c80) [ 165.869282] The buggy address belongs to the page: [ 165.871207] page:ffffea00041d8a00 refcount:1 mapcount:0 mapping:000000004636381b index:0x0 [ 165.873792] flags: 0x17ffffc0000200(slab) [ 165.875574] raw: 0017ffffc0000200 ffffea0002b8b2c0 0000000200000002 ffff888107c02c80 [ 165.878117] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 165.880660] page dumped because: kasan: bad access detected [ 165.882800] [ 165.884141] Memory state around the buggy address: [ 165.886131] ffff888107628b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 165.888613] ffff888107628b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 165.891117] >ffff888107628c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.893618] ^ [ 165.895977] ffff888107628c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 165.898536] ffff888107628d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 165.901119] ================================================================== [ 165.903719] Disabling lock debugging due to kernel taint ~~~ Expected results: No KASAN: use-after-free in audit_list_rules_send(). Additional info: