Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160874 - audit: use after free in auditfs_attach_wdata()
Summary: audit: use after free in auditfs_attach_wdata()
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: David Woodhouse
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-17 21:41 UTC by Steve Grubb
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: 2.6.9-16
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-12-08 15:31:50 UTC


Attachments (Terms of Use)

Description Steve Grubb 2005-06-17 21:41:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
Kernel Oops recorded:

Jun 17 17:09:05 localhost kernel: Unable to handle kernel paging request at virtual address 6b6b6b6b
Jun 17 17:09:05 localhost kernel:  printing eip:
Jun 17 17:09:05 localhost kernel: c0142bb2
Jun 17 17:09:05 localhost kernel: *pde = 00000000
Jun 17 17:09:05 localhost kernel: Oops: 0000 [#1]
Jun 17 17:09:05 localhost kernel: Modules linked in: parport_pc lp parport autofs4 i2c_dev i2c_core ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button battery ac md5 ipv6 uhci_hcd snd_emu10k1 snd_rawmidi snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_seq_device snd_ac97_codec snd_page_alloc snd_util_mem snd_hwdep snd soundcore 3c59x floppy ext3 jbd Jun 17 17:09:05 localhost kernel: CPU:    0
Jun 17 17:09:05 localhost kernel: EIP:    0060:[<c0142bb2>]    Not tainted VLI
Jun 17 17:09:05 localhost kernel: EFLAGS: 00210202   (2.6.9-11.EL.audit.59)
Jun 17 17:09:05 localhost kernel: EIP is at auditfs_attach_wdata+0x70/0x161
Jun 17 17:09:05 localhost kernel: eax: 00000000   ebx: 6b6b6b6b   ecx: d9caf22c   edx: dff75630 Jun 17 17:09:05 localhost kernel: esi: dff75628   edi: d9caf22c   ebp: dfbcafb0   esp: da209e88 Jun 17 17:09:05 localhost kernel: ds: 007b   es: 007b   ss: 0068
Jun 17 17:09:05 localhost kernel: Process auditctl (pid: 18145, threadinfo=da209000 task=dd5d9990) Jun 17 17:09:05 localhost kernel: Stack: df8202bc 00000001 ee893408 ddccb804 ee893408 00000001 00000000 c0144da3 Jun 17 17:09:05 localhost kernel:        fffffff5 ee893408 00000001 da209f58 c01755dc fffffff5 ee893408 0024a603 Jun 17 17:09:05 localhost kernel:        da209f58 c0175d9f dc6b3008 dfef5c70 c0156922 00000000 00000101 00000000 Jun 17 17:09:05 localhost kernel: Call Trace:
Jun 17 17:09:05 localhost kernel:  [<c01755dc>] permission+0xf/0x4f
Jun 17 17:09:05 localhost kernel:  [<c0175d9f>] link_path_walk+0x12c/0xd98
Jun 17 17:09:05 localhost kernel:  [<c0156922>] handle_mm_fault+0xd5/0x1fd
Jun 17 17:09:05 localhost kernel:  [<c0176c85>] path_lookup+0xfe/0x12c
Jun 17 17:09:05 localhost kernel:  [<c0177376>] open_namei+0x99/0x57e
Jun 17 17:09:05 localhost kernel:  [<c0165b09>] filp_open+0x23/0x3c
Jun 17 17:09:05 localhost kernel:  [<c0305ac8>] __cond_resched+0x14/0x3b
Jun 17 17:09:05 localhost kernel:  [<c01ddf32>] direct_strncpy_from_user+0x3e/0x5d
Jun 17 17:09:05 localhost kernel:  [<c0165fe0>] sys_open+0x31/0x7d
Jun 17 17:09:05 localhost kernel:  [<c0307323>] syscall_call+0x7/0xb
Jun 17 17:09:05 localhost kernel: Code: 7d 34 00 75 19 8b 03 b9 98 59 35 c0 89 ea e8 83 ec ff ff 85 c0 74 07 c7 45 34 01 00 00 00 c7 46 08 00 00 00 00 8b 1f 85 db 74 60 <8b> 03 0f 18 00 90 8d 43 ec ba d0 00 00 00 89 04 24 a1 84 60 35
Jun 17 17:09:05 localhost kernel:  <0>Fatal exception: panic in 5 seconds
Jun 17 17:09:05 localhost kernel: Slab corruption: start=df8202bc, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: Prev obj: start=df820280, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: Next obj: start=df8202f8, len=48
Jun 17 17:09:05 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 17 17:09:05 localhost kernel: Last user: [<c014447b>](audit_remove_watch+0x153/0x4a6)
Jun 17 17:09:05 localhost kernel: 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 17 17:09:05 localhost kernel: 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

Version-Release number of selected component (if applicable):
2.6.9-11.EL.audit.59

How reproducible:
Sometimes

Steps to Reproduce:
1. Run fs-torture script
2. Run enabler script
3. Use computer

Additional info:

gdb says this: 
(gdb) list *0xc0142bb2
0xc0142bb2 is in auditfs_attach_wdata (include/asm/processor.h:659).
654     include/asm/processor.h: No such file or directory.
        in include/asm/processor.h

Comment 1 Steve Grubb 2005-06-18 12:18:53 UTC
This problem still exists in the .60 kernel.

Comment 2 David Woodhouse 2005-06-19 23:49:21 UTC
A potential fix for this problem is included in the audit.62 build.

Comment 4 Steve Grubb 2005-12-19 19:10:50 UTC
David, what is the status of this bug? I'm thinking this sb closed. Thanks.

Comment 5 David Woodhouse 2005-12-19 21:03:55 UTC
Yes, I'm fairly sure you're right.


Note You need to log in before you can comment on or make changes to this bug.