The kernel crashes in audit_remove_tree_rule() due to the use-after-free invoked with some strange audit rules.

Solution Verified - Updated -

Issue

  • The kernel crashes in audit_remove_tree_rule() on boot due to the use-after-free invoked with some strange audit rules.
[595830.286714] list_del corruption. prev->next should be ffff968f7aac4170, but was 0000000000000000
[595830.307120] ------------[ cut here ]------------
[595830.307122] kernel BUG at lib/list_debug.c:53!
[595830.307129] invalid opcode: 0000 [#1] SMP PTI
[595830.307131] CPU: 7 PID: 2123745 Comm: auditctl Kdump: loaded Not tainted 4.18.0-240.10.1.el8_3.x86_64 #1
[595830.307132] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008  12/07/2018
[595830.307140] RIP: 0010:__list_del_entry_valid.cold.1+0x34/0x4c
[595830.307143] Code: cd 6e b4 e8 b8 44 cd ff 0f 0b 48 c7 c7 60 ce 6e b4 e8 aa 44 cd ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 20 ce 6e b4 e8 96 44 cd ff <0f> 0b 48 89 fe 48 c7 c7 e8 cd 6e b4 e8 85 44 cd ff 0f 0b 90 90 90
[595830.307144] RSP: 0018:ffffbda786703be8 EFLAGS: 00010246
[595830.307153] RAX: 0000000000000054 RBX: ffff968f7aac4020 RCX: 0000000000000000
[595830.307154] RDX: 0000000000000000 RSI: ffff968f7fdd6a08 RDI: ffff968f7fdd6a08
[595830.307155] RBP: ffff968f749de080 R08: ffff968f7cbadf00 R09: 000000000000039e
[595830.307156] R10: 000000008d8be200 R11: 00000000c12c4cc9 R12: ffff968f7aac4170
[595830.307157] R13: 0000000000000000 R14: ffff968f795a0c00 R15: ffff968c0836a810
[595830.307159] FS:  00007f8a70d4b100(0000) GS:ffff968f7fdc0000(0000) knlGS:0000000000000000
[595830.307160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[595830.307161] CR2: 00005626ca940158 CR3: 00000008b43a2003 CR4: 00000000003606e0
[595830.307165] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[595830.307166] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[595830.307167] Call Trace:
[595830.307174]  audit_remove_tree_rule+0x39/0x160
[595830.307180]  audit_del_rule+0x8e/0x190
[595830.307182]  audit_rule_change+0x9e/0x420
[595830.307187]  ? security_capable+0x38/0x50
[595830.307190]  audit_receive_msg+0x135/0xee0
[595830.307193]  ? __check_object_size+0xa8/0x16b
[595830.307196]  ? __kmalloc_node_track_caller+0x1c3/0x290
[595830.307199]  ? __alloc_skb+0x82/0x1c0
[595830.307204]  ? __netlink_lookup+0xe6/0x150
[595830.307206]  audit_receive+0x52/0xb0
[595830.307209]  netlink_unicast+0x19e/0x260
[595830.307212]  netlink_sendmsg+0x204/0x3d0
[595830.307215]  sock_sendmsg+0x4c/0x50
[595830.307218]  __sys_sendto+0xee/0x160
[595830.307230]  ? syscall_trace_enter+0x1d3/0x2c0
[595830.307232]  ? __audit_syscall_exit+0x249/0x2a0
[595830.307234]  __x64_sys_sendto+0x24/0x30
[595830.307237]  do_syscall_64+0x5b/0x1a0
[595830.307240]  entry_SYSCALL_64_after_hwframe+0x65/0xca
[595830.307243] RIP: 0033:0x7f8a702d0d68
[595830.307245] Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 8b 05 e6 d6 20 00 41 89 ca 85 c0 75 17 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 78 c3 0f 1f 80 00 00 00 00 41 57 4d 89 c7 41
[595830.307246] RSP: 002b:00007fffde324d38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[595830.307248] RAX: ffffffffffffffda RBX: 0000000000000444 RCX: 00007f8a702d0d68
[595830.307249] RDX: 0000000000000444 RSI: 00007fffde324d70 RDI: 0000000000000003
[595830.307250] RBP: 0000000000000003 R08: 00007fffde324d5c R09: 000000000000000c
[595830.307251] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffde324d70
[595830.307251] R13: 00007fffde324d5c R14: 0000000000000014 R15: 0000000000000431
[595830.307256] Modules linked in: xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag tcp_diag inet_diag nft_counter xt_owner xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat fuse ccm md4 sha512_ssse3 sha512_generic cmac nls_utf8 cifs libarc4 dns_resolver nf_tables binfmt_misc nfnetlink intel_rapl_msr intel_rapl_common sb_edac kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf hv_balloon hv_utils hyperv_fb i2c_piix4 pcspkr joydev xfs libcrc32c auth_rpcgss sunrpc ip_tables ext4 mbcache jbd2 ata_generic sd_mod sg ata_piix hyperv_keyboard hv_storvsc hv_netvsc scsi_transport_fc hid_hyperv crc32c_intel libata serio_raw hv_vmbus dm_mirror dm_region_hash dm_log dm_mod
[595830.307891] ---[ end trace 281a8031390cd5c2 ]---
[595830.307895] RIP: 0010:__list_del_entry_valid.cold.1+0x34/0x4c
[595830.307897] Code: cd 6e b4 e8 b8 44 cd ff 0f 0b 48 c7 c7 60 ce 6e b4 e8 aa 44 cd ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 20 ce 6e b4 e8 96 44 cd ff <0f> 0b 48 89 fe 48 c7 c7 e8 cd 6e b4 e8 85 44 cd ff 0f 0b 90 90 90
[595830.307898] RSP: 0018:ffffbda786703be8 EFLAGS: 00010246
[595830.307900] RAX: 0000000000000054 RBX: ffff968f7aac4020 RCX: 0000000000000000
[595830.307900] RDX: 0000000000000000 RSI: ffff968f7fdd6a08 RDI: ffff968f7fdd6a08
[595830.307901] RBP: ffff968f749de080 R08: ffff968f7cbadf00 R09: 000000000000039e
[595830.307902] R10: 000000008d8be200 R11: 00000000c12c4cc9 R12: ffff968f7aac4170
[595830.307903] R13: 0000000000000000 R14: ffff968f795a0c00 R15: ffff968c0836a810
[595830.307905] FS:  00007f8a70d4b100(0000) GS:ffff968f7fdc0000(0000) knlGS:0000000000000000
[595830.307906] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[595830.307907] CR2: 00005626ca940158 CR3: 00000008b43a2003 CR4: 00000000003606e0
[595830.307910] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[595830.307911] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[595830.307912] Kernel panic - not syncing: Fatal exception
[595830.308088] Kernel Offset: 0x32600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
  • The below 2 lines are in /etc/audit/rules.d/audit.rules:
find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules

Environment

  • Red Hat Enterprise Linux 8.2 and newer
  • audit

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In