audit-userspace icon indicating copy to clipboard operation
audit-userspace copied to clipboard
verified publisher icon linux-audit

Possible memory leak in auparse

Open dimv36 opened this issue 4 months ago • 2 comments

Hi,

It seems I found a memory leak when fuzz auparse library.

Audit package builded with -g -O0 -fsanitize=address

To reproduce that, used code in #488

Building binary: gcc -o fuzz-auparse -g -O0 -fsanitize=address ./fuzz-auparse.c -lauparse -laudit

To reproduce build please use log attached: ./fuzz <path-to-log>

This caused following stack trace:

"==329974==ERROR: AddressSanitizer: BUS on unknown address (pc 0x7ffff7cb9fb8 bp 0x7fffffffcb20 sp 0x7fffffffcac8 T0)",
    "==329974==The signal is caused by a READ memory access.",
    "==329974==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.",
    "    #0 0x7ffff7cb9fb8 in __memchr_sse2 string/../sysdeps/x86_64/multiarch/memchr-sse2.S:64",
    "    #1 0x7ffff7c86cc3 in getdelim libio/iogetdelim.c:89:20",
    "    #2 0x5555555de377 in getline (/home/senserk/fuzzing/auparse/target_2/fuzz_auparse+0x8a377) (BuildId: 4cbaad592aca64f0a83f45a8e8a8c42fe4d13dd2)",
    "    #3 0x55555567a957 in readline_file /home/senserk/src/audit-3.1.2/auparse/auparse.c:1076:12",
    "    #4 0x5555556787ab in retrieve_next_line /home/senserk/src/audit-3.1.2/auparse/auparse.c:1325:15",
    "    #5 0x5555556715ec in au_auparse_next_event /home/senserk/src/audit-3.1.2/auparse/auparse.c:1536:8",
    "    #6 0x555555670394 in auparse_next_event /home/senserk/src/audit-3.1.2/auparse/auparse.c:1677:9",
    "    #7 0x555555667b61 in fuzz_auparse /home/senserk/fuzzing/auparse/target_2/fuzz_auparse.c:23:12",
    "    #8 0x555555668489 in main /home/senserk/fuzzing/auparse/target_2/fuzz_auparse.c:113:5",
    "    #9 0x7ffff7c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
    "    #10 0x7ffff7c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3",
    "    #11 0x55555558e5d4 in _start (/home/senserk/fuzzing/auparse/target_2/fuzz_auparse+0x3a5d4) (BuildId: 4cbaad592aca64f0a83f45a8e8a8c42fe4d13dd2)",
    "",
    "AddressSanitizer can not provide additional info.",
    "SUMMARY: AddressSanitizer: BUS string/../sysdeps/x86_64/multiarch/memchr-sse2.S:64 in __memchr_sse2",
    "==329974==ABORTING"

Found by Linux Verification Center (linuxtesting.org) with SVACE.

audit.log

dimv36 avatar Sep 18 '25 09:09 dimv36

Probably the log is missing a newline and getline runs off the end. It uses memchr to look for newline. I used to fuzz the logs. But I realized hardening it is actually slowing down parsing valid logs which is normally what people have.

stevegrubb avatar Sep 18 '25 17:09 stevegrubb

So, do you think that this is not error et all?

dimv36 avatar Sep 23 '25 06:09 dimv36