From: Eric Paris <eparis@redhat.com>
To: "Miloslav Trmač" <mitr@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>,
viro@zeniv.linux.org.uk,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
Date: Thu, 11 Sep 2008 10:25:13 -0400 [thread overview]
Message-ID: <1221143113.2992.9.camel@localhost.localdomain> (raw)
In-Reply-To: <1221085418.2705.19.camel@amilo>
On Thu, 2008-09-11 at 00:23 +0200, Miloslav Trmač wrote:
> From: Miloslav Trmac <mitr@redhat.com>
>
> audit_string_contains_control() stops checking at the first NUL byte.
> If audit_string_contains_control() returns FALSE,
> audit_log_n_untrustedstring() submits the complete string - including
> the NUL byte and all following bytes, up to the specified maximum length
> - to audit_log_n_string(), which copies the data unchanged into the
> audit record.
>
> The audit record can thus contain a NUL byte (and some unchecked data
> after that). Because the user-space audit daemon treats audit records
> as NUL-terminated strings, an untrusted string that is shorter than the
> specified maximum length effectively terminates the audit record.
>
> This patch modifies audit_log_n_untrustedstring() to only log the data
> before the first NUL byte, if any.
I'm going to have to say NAK on this patch.
It's still not right looking at the other user,
audit_log_single_execve_arg(). An execve arg with a NULL could loose
the stuff after the NULL (not break the record like audit_tty) since the
execve uses %s rather than calling trusted string.
How about we change the meaning of audit_string_contains_control()
return values? If it returns positive that is the number of bytes in a
legitimate string up to the first null. -1 means it is hex. That
eliminates your code duplication and allows us to do the right thing in
both the generic untrusted_string code and the execve code.....
-Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Paris <eparis@redhat.com>
To: "Miloslav Trmač" <mitr@redhat.com>
Cc: viro@zeniv.linux.org.uk, linux-audit <linux-audit@redhat.com>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
Date: Thu, 11 Sep 2008 10:25:13 -0400 [thread overview]
Message-ID: <1221143113.2992.9.camel@localhost.localdomain> (raw)
In-Reply-To: <1221085418.2705.19.camel@amilo>
On Thu, 2008-09-11 at 00:23 +0200, Miloslav Trmač wrote:
> From: Miloslav Trmac <mitr@redhat.com>
>
> audit_string_contains_control() stops checking at the first NUL byte.
> If audit_string_contains_control() returns FALSE,
> audit_log_n_untrustedstring() submits the complete string - including
> the NUL byte and all following bytes, up to the specified maximum length
> - to audit_log_n_string(), which copies the data unchanged into the
> audit record.
>
> The audit record can thus contain a NUL byte (and some unchecked data
> after that). Because the user-space audit daemon treats audit records
> as NUL-terminated strings, an untrusted string that is shorter than the
> specified maximum length effectively terminates the audit record.
>
> This patch modifies audit_log_n_untrustedstring() to only log the data
> before the first NUL byte, if any.
I'm going to have to say NAK on this patch.
It's still not right looking at the other user,
audit_log_single_execve_arg(). An execve arg with a NULL could loose
the stuff after the NULL (not break the record like audit_tty) since the
execve uses %s rather than calling trusted string.
How about we change the meaning of audit_string_contains_control()
return values? If it returns positive that is the number of bytes in a
legitimate string up to the first null. -1 means it is hex. That
eliminates your code duplication and allows us to do the right thing in
both the generic untrusted_string code and the execve code.....
-Eric
next prev parent reply other threads:[~2008-09-11 14:25 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-10 22:23 [PATCH 1/2] audit: fix NUL handling in untrusted strings Miloslav Trmač
2008-09-11 14:25 ` Eric Paris [this message]
2008-09-11 14:25 ` Eric Paris
2008-09-11 14:43 ` Miloslav Trmač
2008-09-11 14:43 ` Miloslav Trmač
2008-09-11 17:30 ` John Dennis
2008-09-11 18:10 ` Miloslav Trmač
2008-09-11 18:10 ` Miloslav Trmač
2008-09-11 18:15 ` Miloslav Trmač
2008-09-11 19:08 ` Steve Grubb
2008-09-11 19:08 ` Steve Grubb
2008-09-11 19:19 ` John Dennis
2008-09-11 19:12 ` John Dennis
2008-09-11 19:27 ` Miloslav Trmač
2008-09-11 19:27 ` Miloslav Trmač
2008-09-11 19:47 ` John Dennis
2008-09-11 20:03 ` Miloslav Trmač
2008-09-11 20:03 ` Miloslav Trmač
2008-09-11 19:14 ` Andrew Morton
2008-09-11 19:14 ` Andrew Morton
2008-09-11 19:37 ` Miloslav Trmač
2008-09-11 19:37 ` Miloslav Trmač
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1221143113.2992.9.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mitr@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.