From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Viro <aviro@redhat.com>
Subject: Re: [PATCH] Reporting file descriptors and exec args
Date: Tue, 12 Sep 2006 17:31:02 -0400
Message-ID: <20060912213102.GM4144@devserv.devel.redhat.com>
References: <ogtvensyfmc.fsf@divan.mitre.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <ogtvensyfmc.fsf@divan.mitre.org>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "John D. Ramsdell" <ramsdell@mitre.org>
Cc: bsniffen@mitre.org, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tue, Sep 12, 2006 at 04:49:47PM -0400, John D. Ramsdell wrote:
> +static const char *elide(const char *str) 
> +{
> +	static char buf[1025];
> +
> +	if (strnlen(str, 1025) >= 1025) {
> +		memcpy(buf, str, 1021);
> +		buf[1021] = '.';
> +		buf[1022] = '.';
> +		buf[1023] = '.';
> +		buf[1024] = '\0';
> +		return buf;
> +	}
> +	
> +	return str;
> +}

... serialized by...?

>  static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
>  {
>  	int i;
> @@ -820,6 +851,16 @@ static void audit_log_exit(struct audit_
>  		audit_log_format(ab, " success=%s exit=%ld", 
>  				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
>  				 context->return_code);
> +
> +	switch (context->major) {
> +        case __NR_open:
> +			audit_log_format(ab, " filename=");
> +			audit_log_untrustedstring(ab, 
> +					elide((const char *)context->argv[0]));

Oh, lovely.  So let me see if I've got it right - now anybody can trigger
reading from any location in kernel memory.  Including iomem.  Or not mapped
address range - less interesting (oops instead of mangling hardware), but
easier to guess.

BTW, you still have problem with __NR_open on biarch targets...