Bug 245164 - kernel oops when watched file is unlinked and audit is disabled
kernel oops when watched file is unlinked and audit is disabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Eric Paris
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-21 09:03 EDT by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0959
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 14:53:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2007-06-21 09:03:34 EDT
Description of problem:
When a watched file is accessed and audit is disabled, the kernel will oops.

Version-Release number of selected component (if applicable):
kernel-2.6.18-8.1.3.el5

How reproducible:
everytime

Steps to Reproduce:
1. auditctl -D
2. touch /tmp/test
3. auditctl -w /tmp/test -p wa -k test
4. auditctl -e 0
5. echo "test" > /tmp/test
  
Actual results:
oops

Expected results:
system to be running

Additional info:
Patch was submitted upstream fixing the problem. It simply adds a check for
audit->context being NULL. This is very low risk to pull in.

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 74cc0fc..ce61f42 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -947,7 +947,7 @@ static void audit_update_watch(struct au
 
                /* If the update involves invalidating rules, do the inode-based
                 * filtering now, so we don't omit records. */
-               if (invalidating &&
+               if (invalidating && current->audit_context &&
                    audit_filter_inodes(current, current->audit_context) ==
AUDIT_RECORD_CONTEXT)
                        audit_set_auditable(current->audit_context);
Comment 1 Steve Grubb 2007-06-21 09:08:44 EDT
Actually, step 5 above should be this:

5. rm /tmp/test

Comment 2 RHEL Product and Program Management 2007-06-21 09:43:38 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Don Zickus 2007-06-27 11:48:48 EDT
in 2.6.18-32.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 6 Mike Gahagan 2007-08-07 16:59:27 EDT
Verified that this bug is fixed using the testcase, however I hit a different
kernel panic after I stop auditd which I have logged as bz251232.

Comment 8 errata-xmlrpc 2007-11-07 14:53:51 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0959.html

Note You need to log in before you can comment on or make changes to this bug.