BUG: memory leak from __audit_log_kern_module()

[cgzones]

Version: 5.19.0-rc2

Similar to https://github.com/linux-audit/audit-kernel/commit/95e0b46fcebd7dbf6850dee96046e4c4ddc7f69c:

unreferenced object 0xffff888153b707f0 (size 16):
  comm "modprobe", pid 1319, jiffies 4295110033 (age 1083.016s)
  hex dump (first 16 bytes):
    62 69 6e 66 6d 74 5f 6d 69 73 63 00 6b 6b 6b a5  binfmt_misc.kkk.
  backtrace:
    [<ffffffffa07dbf9b>] kstrdup+0x2b/0x50
    [<ffffffffa04b0a9d>] __audit_log_kern_module+0x4d/0xf0
    [<ffffffffa03b6664>] load_module+0x9d4/0x2e10
    [<ffffffffa03b8f44>] __do_sys_finit_module+0x114/0x1b0
    [<ffffffffa1f47124>] do_syscall_64+0x34/0x80
    [<ffffffffa200007e>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

[pcmoore]

Thanks @cgzones, is this something you want to try fixing?

[cgzones]

Testing

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f3a2abd6d1a1..a21a38a3debf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1014,8 +1014,8 @@ static void audit_reset_context(struct audit_context *ctx)
        ctx->target_comm[0] = '\0';
        unroll_tree_refs(ctx, NULL, 0);
        WARN_ON(!list_empty(&ctx->killed_trees));
-       ctx->type = 0;
        audit_free_module(ctx);
+       ctx->type = 0; /* reset after audit_free_module() */
        ctx->fds[0] = -1;
        audit_proctitle_free(ctx);
 }

[pcmoore]

That looks like the culprit :)

The only suggestion I might have would be to move the ctx->type = 0; line to the bottom of the function, after the call to audit_proctitle_free(ctx); just in case something like this happens with other portions of the audit_context.

Thanks!

[cgzones]

https://github.com/torvalds/linux/commit/ef79c396c664be99d0c5660dc75fe863c1e20315