Created attachment 237300 [details] auditreduce input that causes a segmentation fault in free() au_read_rec() in /usr/src/contrib/openbsm/libbsm/bsm_io.c says: *buf = malloc(recsize); ...; free(buf); The free(buf) should be free(*buf). I've attached a demo: % auditreduce < auditreduce1a.dat Segmentation fault Thread 2.1 received signal SIGSEGV, Segmentation fault. Address not mapped to object. [Switching to LWP 100451 of process 16127] 0x000000080120ad11 in ?? () from /lib/libc.so.7 (gdb) where #0 0x000000080120ad11 in ?? () from /lib/libc.so.7 #1 0x0000000801084680 in au_read_rec (fp=0x80127c6c0, buf=0x7fffffffde28) at /usr/src/contrib/openbsm/libbsm/bsm_io.c:4600 #2 0x0000000001024851 in select_records (fp=0x80127c6c0) at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:532 #3 0x0000000001024384 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:829 This is on 13.1-RELEASE-p2 as well as a recent CURRENT.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c61b3f7de9a0a39d2bc78e3e78d148c369e706a5 commit c61b3f7de9a0a39d2bc78e3e78d148c369e706a5 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-24 13:45:59 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-24 13:49:30 +0000 OpenBSM: fix free() in au_read_rec error case buf is a char ** and *buf is the allocated buffer. PR: 267050 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days Sponsored by: The FreeBSD Foundation contrib/openbsm/libbsm/bsm_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=889dcb5e9b2ff4160c313b31cfa53106af2a5b0c commit 889dcb5e9b2ff4160c313b31cfa53106af2a5b0c Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-24 13:45:59 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-27 00:24:07 +0000 OpenBSM: fix free() in au_read_rec error case buf is a char ** and *buf is the allocated buffer. PR: 267050 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit c61b3f7de9a0a39d2bc78e3e78d148c369e706a5) contrib/openbsm/libbsm/bsm_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2b25564af6f9d1303fb92b8dfd3a36f5d7fc3c34 commit 2b25564af6f9d1303fb92b8dfd3a36f5d7fc3c34 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-24 13:45:59 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-27 00:25:33 +0000 OpenBSM: fix free() in au_read_rec error case buf is a char ** and *buf is the allocated buffer. PR: 267050 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit c61b3f7de9a0a39d2bc78e3e78d148c369e706a5) (cherry picked from commit 889dcb5e9b2ff4160c313b31cfa53106af2a5b0c) contrib/openbsm/libbsm/bsm_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch releng/12.4 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=990aa6476eec17339c170ac12f75fc253e8ec4c8 commit 990aa6476eec17339c170ac12f75fc253e8ec4c8 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-24 13:45:59 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-31 17:16:28 +0000 OpenBSM: fix free() in au_read_rec error case buf is a char ** and *buf is the allocated buffer. PR: 267050 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit c61b3f7de9a0a39d2bc78e3e78d148c369e706a5) (cherry picked from commit 889dcb5e9b2ff4160c313b31cfa53106af2a5b0c) (cherry picked from commit 2b25564af6f9d1303fb92b8dfd3a36f5d7fc3c34) Approved by: re (gjb) contrib/openbsm/libbsm/bsm_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)