From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking
Date: Thu, 29 May 2014 09:04:06 -0400 [thread overview]
Message-ID: <1620328.Obz62LKxQC@x2> (raw)
In-Reply-To: <1401331437.13555.38.camel@localhost>
On Wednesday, May 28, 2014 10:43:57 PM Eric Paris wrote:
> On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
> > On Wed, May 28, 2014 at 7:23 PM, Eric Paris <eparis@redhat.com> wrote:
> > > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> > >> Fixes an easy DoS and possible information disclosure.
> > >>
> > >> This does nothing about the broken state of x32 auditing.
> > >>
> > >> Cc: stable@vger.kernel.org
> > >> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> > >> ---
> > >>
> > >> kernel/auditsc.c | 27 ++++++++++++++++++---------
> > >> 1 file changed, 18 insertions(+), 9 deletions(-)
> > >>
> > >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > >> index f251a5e..7ccd9db 100644
> > >> --- a/kernel/auditsc.c
> > >> +++ b/kernel/auditsc.c
> > >> @@ -728,6 +728,22 @@ static enum audit_state audit_filter_task(struct
> > >> task_struct *tsk, char **key)> >>
> > >> return AUDIT_BUILD_CONTEXT;
> > >> }
> > >>
> > >> +static bool audit_in_mask(const struct audit_krule *rule, unsigned
> > >> long val) +{
> > >> + int word, bit;
> > >> +
> > >> + if (val > 0xffffffff)
> > >> + return false;
> > >
> > > Why is this necessary?
> >
> > To avoid an integer overflow. Admittedly, this particular overflow
> > won't cause a crash, but it will cause incorrect results.
So, what is the effect of this patch? Does it hide the syscall from the audit
system? Does it fail the syscall?
> You know this code pre-dates git? I admit, I'm shocked no one ever
> noticed it before! This is ANCIENT. And clearly broken.
>
> I'll likely ask Richard to add a WARN_ONCE() in both this place, and
> below in word > AUDIT_BITMASK_SIZE so we might know if we ever need a
> larger bitmask to store syscall numbers....
We need absolute guarantees. Either its auditable or prevented - always.
-Steve
next prev parent reply other threads:[~2014-05-29 13:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-29 1:43 [PATCH v2 0/2] Fix auditsc DoS and mark it BROKEN Andy Lutomirski
2014-05-29 1:44 ` [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking Andy Lutomirski
2014-05-29 2:23 ` Eric Paris
2014-05-29 2:27 ` Andy Lutomirski
2014-05-29 2:43 ` Eric Paris
2014-05-29 2:46 ` Andy Lutomirski
2014-05-29 13:04 ` Steve Grubb [this message]
2014-07-08 19:37 ` Richard Guy Briggs
2014-05-29 1:44 ` [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text Andy Lutomirski
2014-05-29 2:09 ` Eric Paris
2014-05-29 2:40 ` Andy Lutomirski
2014-05-29 2:54 ` Eric Paris
2014-05-29 3:01 ` Andy Lutomirski
2014-05-29 13:05 ` Steve Grubb
2014-05-29 16:04 ` Andy Lutomirski
2014-05-29 16:25 ` Steve Grubb
2014-05-29 16:25 ` Steve Grubb
2014-05-29 16:46 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1620328.Obz62LKxQC@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.