diff options
| author | Paul Moore <paul@paul-moore.com> | 2016-07-19 17:42:57 -0400 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2017-05-17 19:25:39 +0200 |
| commit | 23c5ab0316cc88659bbd45c4dcbef826a5416040 (patch) | |
| tree | 058e59d427d42b67ba1e058d231bf63b6fa8f654 /net/ax25 | |
| parent | cf9bcb9f9862c16783b98c3c9259fb4452f91a4a (diff) | |
| download | kernel_samsung_tuna-23c5ab0316cc88659bbd45c4dcbef826a5416040.tar.gz kernel_samsung_tuna-23c5ab0316cc88659bbd45c4dcbef826a5416040.tar.bz2 kernel_samsung_tuna-23c5ab0316cc88659bbd45c4dcbef826a5416040.zip | |
audit: fix a double fetch in audit_log_single_execve_arg()
commit 43761473c254b45883a64441dd0bc85a42f3645c upstream.
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Change-Id: Ieb4c209810a4958b43bc33f1aa4d89133c032571
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[bwh: Backported to 3.2:
- In audit_log_execve_info() various information is retrieved via
the extra parameter struct audit_aux_data_execve *axi
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/ax25')
0 files changed, 0 insertions, 0 deletions