Re: [RFC][PATCH 3/3] audit: Audit proc cmdline value

From: William Roberts
Date: Mon Jan 06 2014 - 12:30:37 EST


On Mon, Jan 6, 2014 at 9:08 AM, Mateusz Guzik <mguzik@xxxxxxxxxx> wrote:
> I can't comment on the concept, but have one nit.

FYI: The concept is something that has been in the works and at least ackd on
by the current maintainer of audit:
http://marc.info/?l=linux-kernel&m=138660320704580&w=2

>
> On Mon, Jan 06, 2014 at 07:30:30AM -0800, William Roberts wrote:
>> +static void audit_log_cmdline(struct audit_buffer *ab, struct task_struct *tsk,
>> + struct audit_context *context)
>> +{
>> + int res;
>> + char *buf;
>> + char *msg = "(null)";
>> + audit_log_format(ab, " cmdline=");
>> +
>> + /* Not cached */
>> + if (!context->cmdline) {
>> + buf = kmalloc(PATH_MAX, GFP_KERNEL);
>> + if (!buf)
>> + goto out;
>> + res = get_cmdline(tsk, buf, PATH_MAX);
>> + /* Ensure NULL terminated */
>> + if (buf[res-1] != '\0')
>> + buf[res-1] = '\0';
>
> This accesses memory below the buffer if get_cmdline returned 0, which I
> believe will be the case when someone jokingly unmaps the area (all
> maybe when it is swapped out but can't be swapped in due to I/O errors).
>

Yeah that's not a nit, that's a serious issue and I will correct. Thanks.

> Also since you are just putting 0 in there anyway I don't see much point
> in testing for it.
>
>> + context->cmdline = buf;
>> + }
>> + msg = context->cmdline;
>> +out:
>> + audit_log_untrustedstring(ab, msg);
>> +}
>> +
>
>
>
> --
> Mateusz Guzik



--
Respectfully,

William C Roberts
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/