From: Eric Paris <eparis@redhat.com>
To: Klaus Weidner <klaus@atsec.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] fix broken class-based syscall audit
Date: Mon, 14 May 2007 16:47:29 -0400 [thread overview]
Message-ID: <1179175649.3964.5.camel@localhost.localdomain> (raw)
In-Reply-To: <20070514155608.GB11536@w-m-p.com>
On Mon, 2007-05-14 at 10:56 -0500, Klaus Weidner wrote:
> On Mon, May 14, 2007 at 05:51:50PM +0200, Marcus Meissner wrote:
> > On Mon, May 14, 2007 at 10:46:36AM -0500, Klaus Weidner wrote:
> > > The sanity check in audit_match_class() is wrong, AUDIT_BITMASK_SIZE is
> > > 64, providing space for 2048 syscalls in 64 * 32bit integers. The
> > > comparison only supports 256 syscalls (sizeof __u32 is 4), and silently
> > > returns "no match" for valid higher-numbered syscalls.
> [...]
> > > --- linux-2.6.18.i686/kernel/auditfilter.c.lspp.80 2007-05-11 17:06:08.000000000 -0500
> > > +++ linux-2.6.18.i686/kernel/auditfilter.c 2007-05-11 17:09:37.000000000 -0500
> > > @@ -306,7 +306,7 @@
> > >
> > > int audit_match_class(int class, unsigned syscall)
> > > {
> > > - if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
> > > + if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
> > > return 0;
> > > if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
> > > return 0;
> >
> > You likely need to fix audit_register_class() if this is true.
>
> I don't see a problem in audit_register_class() - it correctly uses
> sizeof(__u32) for allocating the memory since that's counted in bytes,
> only the comparison needs to count bits.
If that's the problem wouldn't we be better to use sizeof(__u32) *8
rather than hard code the 32 in there? (sidebar: is it portable to
assume sizeof() returns bytes and *8 is the right way to go on all
archs?) That would make it easier to do u32 search/replace in the
future if we ever have to grow this stuff....
-Eric
next prev parent reply other threads:[~2007-05-14 20:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-14 15:46 [PATCH] fix broken class-based syscall audit Klaus Weidner
2007-05-14 15:51 ` Marcus Meissner
2007-05-14 15:56 ` Klaus Weidner
2007-05-14 20:47 ` Eric Paris [this message]
2007-05-14 21:32 ` Klaus Weidner
2007-05-15 14:14 ` Alexander Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1179175649.3964.5.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=klaus@atsec.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.