Embed struct eventlog into struct log_details instead of using a pointer.

millert · millert · commit b48fd11e3945 · 2025-11-11T09:28:48.000-07:00
In some cases we were allocating a new struct eventlog and others just attaching a pointer which did not always persist after the function returns. In practice this was not a problem. The eventlog data in log_details was not being accessed after it went out of scope, but this is brittle and makes analysis difficult. Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
@@ -143,6 +143,7 @@ bool eventlog_reject(const struct eventlog *evlog, int flags, const char *reason
 bool eventlog_store_json(struct json_container *jsonc, const struct eventlog *evlog);
 bool eventlog_store_sudo(int event_type, const struct eventlog *evlog, struct sudo_lbuf *lbuf);
 void eventlog_free(struct eventlog *evlog);
+void eventlog_free_contents(struct eventlog *evlog);
 
 /* eventlog_conf.c */
 void eventlog_set_type(int type);
diff --git a/lib/eventlog/eventlog_free.c b/lib/eventlog/eventlog_free.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2020, 2023, 2025 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -34,46 +34,59 @@
  * Free the strings in a struct eventlog.
  */
 void
-eventlog_free(struct eventlog *evlog)
+eventlog_free_contents(struct eventlog *evlog)
 {
     size_t i;
+    debug_decl(eventlog_free_contents, SUDO_DEBUG_UTIL);
+
+    free(evlog->iolog_path);
+    free(evlog->command);
+    free(evlog->cwd);
+    free(evlog->runchroot);
+    free(evlog->runcwd);
+    free(evlog->rungroup);
+    free(evlog->runuser);
+    free(evlog->peeraddr);
+    free(evlog->signal_name);
+    free(evlog->source);
+    if (evlog->submitenv != NULL) {
+	for (i = 0; evlog->submitenv[i] != NULL; i++)
+	    free(evlog->submitenv[i]);
+	free(evlog->submitenv);
+    }
+    free(evlog->submithost);
+    free(evlog->submituser);
+    free(evlog->submitgroup);
+    free(evlog->ttyname);
+    if (evlog->runargv != NULL) {
+	for (i = 0; evlog->runargv[i] != NULL; i++)
+	    free(evlog->runargv[i]);
+	free(evlog->runargv);
+    }
+    if (evlog->runenv != NULL) {
+	for (i = 0; evlog->runenv[i] != NULL; i++)
+	    free(evlog->runenv[i]);
+	free(evlog->runenv);
+    }
+    if (evlog->env_add != NULL) {
+	for (i = 0; evlog->env_add[i] != NULL; i++)
+	    free(evlog->env_add[i]);
+	free(evlog->env_add);
+    }
+
+    debug_return;
+}
+
+/*
+ * Free the strings in a struct eventlog and the eventlog container itself.
+ */
+void
+eventlog_free(struct eventlog *evlog)
+{
     debug_decl(eventlog_free, SUDO_DEBUG_UTIL);
 
     if (evlog != NULL) {
-	free(evlog->iolog_path);
-	free(evlog->command);
-	free(evlog->cwd);
-	free(evlog->runchroot);
-	free(evlog->runcwd);
-	free(evlog->rungroup);
-	free(evlog->runuser);
-	free(evlog->peeraddr);
-	free(evlog->signal_name);
-	free(evlog->source);
-	if (evlog->submitenv != NULL) {
-	    for (i = 0; evlog->submitenv[i] != NULL; i++)
-		free(evlog->submitenv[i]);
-	    free(evlog->submitenv);
-	}
-	free(evlog->submithost);
-	free(evlog->submituser);
-	free(evlog->submitgroup);
-	free(evlog->ttyname);
-	if (evlog->runargv != NULL) {
-	    for (i = 0; evlog->runargv[i] != NULL; i++)
-		free(evlog->runargv[i]);
-	    free(evlog->runargv);
-	}
-	if (evlog->runenv != NULL) {
-	    for (i = 0; evlog->runenv[i] != NULL; i++)
-		free(evlog->runenv[i]);
-	    free(evlog->runenv);
-	}
-	if (evlog->env_add != NULL) {
-	    for (i = 0; evlog->env_add[i] != NULL; i++)
-		free(evlog->env_add[i]);
-	    free(evlog->env_add);
-	}
+	eventlog_free_contents(evlog);
 	free(evlog);
     }
 
diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c
@@ -241,6 +241,10 @@ audit_to_eventlog(const struct sudoers_context *ctx, struct eventlog *evlog,
 }
 
 #ifdef SUDOERS_LOG_CLIENT
+/*
+ * Persistent audit details and associated event log data used
+ * when opening a new connection to the log server.
+ */
 static struct log_details audit_details;
 
 static void
diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c
@@ -190,16 +190,17 @@ free_iolog_details(void)
 {
     debug_decl(free_iolog_details, SUDOERS_DEBUG_PLUGIN);
 
-    if (iolog_details.evlog != NULL) {
-	/* We only make a shallow copy of argv and envp. */
-	free(iolog_details.evlog->runargv);
-	iolog_details.evlog->runargv = NULL;
-	free(iolog_details.evlog->runenv);
-	iolog_details.evlog->runenv = NULL;
-	free(iolog_details.evlog->submitenv);
-	iolog_details.evlog->submitenv = NULL;
-	eventlog_free(iolog_details.evlog);
-    }
+    /*
+     * We only make a shallow copy of argv and envp.
+     */
+    free(iolog_details.evlog.runargv);
+    iolog_details.evlog.runargv = NULL;
+    free(iolog_details.evlog.runenv);
+    iolog_details.evlog.runenv = NULL;
+    free(iolog_details.evlog.submitenv);
+    iolog_details.evlog.submitenv = NULL;
+    eventlog_free_contents(&iolog_details.evlog);
+
     str_list_free(iolog_details.log_servers);
 #if defined(HAVE_OPENSSL)
     free(iolog_details.ca_bundle);
@@ -290,7 +291,7 @@ iolog_deserialize_info(struct log_details *details, char * const user_info[],
     char * const command_info[], char * const argv[], char * const user_env[])
 {
     const struct sudoers_context *ctx = sudoers_get_context();
-    struct eventlog *evlog;
+    struct eventlog *evlog = &details->evlog;
     const char *runas_uid_str = "0", *runas_euid_str = NULL;
     const char *runas_gid_str = "0", *runas_egid_str = NULL;
     const char *errstr;
@@ -301,10 +302,6 @@ iolog_deserialize_info(struct log_details *details, char * const user_info[],
     id_t id;
     debug_decl(iolog_deserialize_info, SUDOERS_DEBUG_UTIL);
 
-    if ((evlog = calloc(1, sizeof(*evlog))) == NULL)
-	goto oom;
-    details->evlog = evlog;
-
     evlog->lines = 24;
     evlog->columns = 80;
     evlog->runuid = ROOT_UID;
@@ -683,7 +680,7 @@ static int
 sudoers_io_open_local(struct timespec *start_time)
 {
     const struct sudoers_context *ctx = sudoers_get_context();
-    struct eventlog *evlog = iolog_details.evlog;
+    struct eventlog *evlog = &iolog_details.evlog;
     int i;
     debug_decl(sudoers_io_open_local, SUDOERS_DEBUG_PLUGIN);
 
@@ -727,7 +724,7 @@ sudoers_io_open_local(struct timespec *start_time)
     }
 
     /* Write log file with user and command details. */
-    if (!iolog_write_info_file(iolog_dir_fd, iolog_details.evlog)) {
+    if (!iolog_write_info_file(iolog_dir_fd, &iolog_details.evlog)) {
 	log_warningx(ctx, SLOG_SEND_MAIL,
 	    N_("unable to write to I/O log file: %s"), strerror(errno));
 	warned = true;
diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c
@@ -1164,7 +1164,7 @@ fmt_initial_message(struct client_closure *closure)
     switch (closure->state) {
     case SEND_ACCEPT:
 	/* Format and schedule AcceptMessage. */
-	if ((ret = fmt_accept_message(closure, closure->log_details->evlog))) {
+	if ((ret = fmt_accept_message(closure, &closure->log_details->evlog))) {
 	    /*
 	     * Move read/write events back to main sudo event loop.
 	     * Server messages may occur at any time, so no timeout.
@@ -1180,12 +1180,12 @@ fmt_initial_message(struct client_closure *closure)
 	break;
     case SEND_REJECT:
 	/* Format and schedule RejectMessage. */
-	ret = fmt_reject_message(closure, closure->log_details->evlog,
+	ret = fmt_reject_message(closure, &closure->log_details->evlog,
 	    closure->reason);
 	break;
     case SEND_ALERT:
 	/* Format and schedule AlertMessage. */
-	ret = fmt_alert_message(closure, closure->log_details->evlog,
+	ret = fmt_alert_message(closure, &closure->log_details->evlog,
 	    closure->reason);
 	break;
     default:
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
@@ -106,7 +106,7 @@ init_log_details(struct log_details *details, struct eventlog *evlog)
 	debug_return_bool(false);
     }
 
-    details->evlog = evlog;
+    details->evlog = *evlog;
     details->ignore_log_errors = def_ignore_logfile_errors;
     details->log_servers = log_servers;
     details->server_timeout.tv_sec = def_log_server_timeout;
diff --git a/plugins/sudoers/logging.h b/plugins/sudoers/logging.h
@@ -24,7 +24,7 @@
 
 struct sudoers_str_list;
 struct log_details {
-    struct eventlog *evlog;
+    struct eventlog evlog;
     struct sudoers_str_list *log_servers;
     struct timespec server_timeout;
 # if defined(HAVE_OPENSSL)

Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,10 @@ audit_to_eventlog(const struct sudoers_context ctx, struct eventlog evlog,`
`241`	`241`	`}`
`242`	`242`
`243`	`243`	`#ifdef SUDOERS_LOG_CLIENT`
	`244`	`+/*`
	`245`	`+ * Persistent audit details and associated event log data used`
	`246`	`+ * when opening a new connection to the log server.`
	`247`	`+ */`
`244`	`248`	`static struct log_details audit_details;`
`245`	`249`
`246`	`250`	`static void`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ init_log_details(struct log_details details, struct eventlog evlog)`
`106`	`106`	`debug_return_bool(false);`
`107`	`107`	`}`
`108`	`108`
`109`		`- details->evlog = evlog;`
	`109`	`+ details->evlog = *evlog;`
`110`	`110`	`details->ignore_log_errors = def_ignore_logfile_errors;`
`111`	`111`	`details->log_servers = log_servers;`
`112`	`112`	`details->server_timeout.tv_sec = def_log_server_timeout;`