[PATCH 1/2] audit: fix NUL handling in untrusted strings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Miloslav Trmač" <mitr@redhat.com>
To: viro@zeniv.linux.org.uk, Eric Paris <eparis@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [PATCH 1/2] audit: fix NUL handling in untrusted strings
Date: Thu, 11 Sep 2008 00:23:38 +0200	[thread overview]
Message-ID: <1221085418.2705.19.camel@amilo> (raw)

From: Miloslav Trmac <mitr@redhat.com>

audit_string_contains_control() stops checking at the first NUL byte.
If audit_string_contains_control() returns FALSE,
audit_log_n_untrustedstring() submits the complete string - including
the NUL byte and all following bytes, up to the specified maximum length
- to audit_log_n_string(), which copies the data unchanged into the
audit record.

The audit record can thus contain a NUL byte (and some unchecked data
after that).  Because the user-space audit daemon treats audit records
as NUL-terminated strings, an untrusted string that is shorter than the
specified maximum length effectively terminates the audit record.

This patch modifies audit_log_n_untrustedstring() to only log the data
before the first NUL byte, if any.

Signed-off-by: Miloslav Trmac <mitr@redhat.com>
--- 
kernel/audit.c |   21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 4414e93..03b6397 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1362,6 +1362,12 @@ void audit_log_n_string(struct audit_buffer *ab, const char *string,
 	skb_put(skb, slen + 2);	/* don't include null terminator */
 }
 
+static inline int
+audit_is_control_character(unsigned char c)
+{
+	return c == '"' || c < 0x21 || c > 0x7E;
+}
+
 /**
  * audit_string_contains_control - does a string need to be logged in hex
  * @string: string to be checked
@@ -1371,7 +1377,7 @@ int audit_string_contains_control(const char *string, size_t len)
 {
 	const unsigned char *p;
 	for (p = string; p < (const unsigned char *)string + len && *p; p++) {
-		if (*p == '"' || *p < 0x21 || *p > 0x7e)
+		if (audit_is_control_character(*p))
 			return 1;
 	}
 	return 0;
@@ -1394,10 +1400,15 @@ int audit_string_contains_control(const char *string, size_t len)
 void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
 				 size_t len)
 {
-	if (audit_string_contains_control(string, len))
-		audit_log_n_hex(ab, string, len);
-	else
-		audit_log_n_string(ab, string, len);
+	const unsigned char *p;
+
+	for (p = string; p < (const unsigned char *)string + len && *p; p++) {
+		if (audit_is_control_character(*p)) {
+			audit_log_n_hex(ab, string, len);
+			return;
+		}
+	}
+	audit_log_n_string(ab, string, p - (const unsigned char *)string);
 }
 
 /**

next             reply	other threads:[~2008-09-10 22:23 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-10 22:23 Miloslav Trmač [this message]
2008-09-11 14:25 ` [PATCH 1/2] audit: fix NUL handling in untrusted strings Eric Paris
2008-09-11 14:25   ` Eric Paris
2008-09-11 14:43   ` Miloslav Trmač
2008-09-11 14:43     ` Miloslav Trmač
2008-09-11 17:30   ` John Dennis
2008-09-11 18:10     ` Miloslav Trmač
2008-09-11 18:10       ` Miloslav Trmač
2008-09-11 18:15       ` Miloslav Trmač
2008-09-11 19:08       ` Steve Grubb
2008-09-11 19:08         ` Steve Grubb
2008-09-11 19:19         ` John Dennis
2008-09-11 19:12       ` John Dennis
2008-09-11 19:27         ` Miloslav Trmač
2008-09-11 19:27           ` Miloslav Trmač
2008-09-11 19:47           ` John Dennis
2008-09-11 20:03             ` Miloslav Trmač
2008-09-11 20:03               ` Miloslav Trmač
2008-09-11 19:14 ` Andrew Morton
2008-09-11 19:14   ` Andrew Morton
2008-09-11 19:37   ` Miloslav Trmač
2008-09-11 19:37     ` Miloslav Trmač

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4414e93 dfblob:03b6397 )
 OR (
bs:"[PATCH 1/2] audit: fix NUL handling in untrusted strings" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1221085418.2705.19.camel@amilo \
    --to=mitr@redhat.com \
    --cc=eparis@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.