From 8a97e4dc7f970b13f7a64e79a0b3d76b8fb800f0 Mon Sep 17 00:00:00 2001
Message-Id: <8a97e4dc7f970b13f7a64e79a0b3d76b8fb800f0.1676651944.git.iecedge@gmail.com>
In-Reply-To: <cover.1676651944.git.iecedge@gmail.com>
References: <cover.1676651944.git.iecedge@gmail.com>
From: Jianlin Lv <iecedge@gmail.com>
Date: Fri, 17 Feb 2023 16:07:15 +0000
Subject: [SRU] [Jammy] [PATCH 1/1] UBUNTU: audit: fix memory leak of
 audit_log_lsm()

BugLink: https://bugs.launchpad.net/bugs/1987430

Got following memory leak reports by kmemleak

unreferenced object 0xffff8baee56b9d08 (size 24):
  comm "grep", pid 5503, jiffies 4297727573 (age 466.572s)
  hex dump (first 24 bytes):
    00 80 b5 a2 ae 8b ff ff 00 74 74 db dd 8b ff ff  .........tt.....
    20 0a 00 00 00 00 00 00                           .......
  backtrace:
    [<00000000b7cc6a2d>] kmem_cache_alloc+0x13f/0x450
    [<0000000024efa20e>] audit_log_start.part.0+0x12d/0x3b0
    [<000000007a98c9a0>] audit_log_start+0x3f/0x60
    [<00000000165c321e>] audit_log_lsm+0x74/0x180
    [<00000000e9cb2cd0>] audit_log_exit+0x4df/0x700
    [<00000000688ae612>] __audit_syscall_exit+0x241/0x2b0
    [<00000000bda00aef>] syscall_exit_work+0x116/0x150
    [<000000008071854f>] syscall_exit_to_user_mode+0x3b/0x50
    [<000000000dd668c7>] do_syscall_64+0x69/0xc0
    [<00000000bef68a32>] entry_SYSCALL_64_after_hwframe+0x44/0xae
unreferenced object 0xffff8baea2b58000 (size 224):
  comm "grep", pid 5503, jiffies 4297727573 (age 466.572s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000b2225191>] kmem_cache_alloc_node+0x14f/0x460
    [<0000000097965326>] __alloc_skb+0x168/0x1d0
    [<00000000400424f6>] audit_log_start.part.0+0x14d/0x3b0
    [<000000007a98c9a0>] audit_log_start+0x3f/0x60
    [<00000000165c321e>] audit_log_lsm+0x74/0x180
    [<00000000e9cb2cd0>] audit_log_exit+0x4df/0x700
    [<00000000688ae612>] __audit_syscall_exit+0x241/0x2b0
    [<00000000bda00aef>] syscall_exit_work+0x116/0x150
    [<000000008071854f>] syscall_exit_to_user_mode+0x3b/0x50
    [<000000000dd668c7>] do_syscall_64+0x69/0xc0
    [<00000000bef68a32>] entry_SYSCALL_64_after_hwframe+0x44/0xae

struct audit_buffer object allocated in audit_log_lsm should be freed if
lsmblob_is_set/security_secid_to_secctx return false or error.

Signed-off-by: Jianlin Lv <iecedge@gmail.com>
---
 kernel/auditsc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d37ef7c76f35..693c8c3d294b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1526,7 +1526,7 @@ void audit_log_lsm(struct lsmblob *blob, bool exiting)
 	if (blob == NULL) {
 		security_task_getsecid_subj(current, &localblob);
 		if (!lsmblob_is_set(&localblob))
-			return;
+			goto end;
 		blob = &localblob;
 	}

@@ -1536,7 +1536,7 @@ void audit_log_lsm(struct lsmblob *blob, bool exiting)
 		error = security_secid_to_secctx(blob, &lsmdata, i);
 		if (error && error != -EINVAL) {
 			audit_panic("error in audit_log_lsm");
-			return;
+			goto end;
 		}

 		audit_log_format(ab, "%ssubj_%s=%s", sep ? " " : "",
@@ -1546,6 +1546,7 @@ void audit_log_lsm(struct lsmblob *blob, bool exiting)
 		security_release_secctx(&lsmdata);
 	}

+end:
 	audit_log_end(ab);
 }

--
2.25.1