From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [patch 058/209] audit: rework execve audit
Date: Fri, 27 Jul 2007 22:44:05 +0200
Message-ID: <1185569045.15205.49.camel@lappy>
References: <200707190848.l6J8mFQf023098@imap1.linux-foundation.org>
	<200707271613.10753.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200707271613.10753.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, aaw@google.com
List-Id: linux-audit@redhat.com

On Fri, 2007-07-27 at 16:13 -0400, Steve Grubb wrote:

> I was testing our rawhide kernel and I'm scrolling these errors:

How can I reproduce this? (I once figured out how to enable execve
auditing but have since forgotten)

And are you doing more than enabling it? That is, does it auto-magically
happen, or are you running some tests.

> WARNING: at kernel/auditsc.c:859 audit_log_execve_info() (Not tainted)
> 
> Call Trace:
>  [<ffffffff8106b06f>] audit_log_exit+0x5d7/0x964
>  [<ffffffff81050805>] trace_hardirqs_on+0x12e/0x151
>  [<ffffffff8106b60b>] audit_syscall_exit+0x9b/0x300
>  [<ffffffff8100ee62>] syscall_trace_leave+0x2c/0x87
>  [<ffffffff8100beb1>] int_very_careful+0x3a/0x43
> 
> 
> > From: Peter Zijlstra <a.p.zijlstra@chello.nl>
> > diff -puN kernel/auditsc.c~audit-rework-execve-audit kernel/auditsc.c
> > --- a/kernel/auditsc.c~audit-rework-execve-audit
> > +++ a/kernel/auditsc.c
> > @@ -831,6 +831,55 @@ static int audit_log_pid_context(struct
> >  	return rc;
> >  }
> >
> > +static void audit_log_execve_info(struct audit_buffer *ab,
> > +		struct audit_aux_data_execve *axi)
> > +{
> > +	int i;
> > +	long len, ret;
> > +	const char __user *p = (const char __user *)axi->mm->arg_start;
> > +	char *buf;
> > +
> > +	if (axi->mm != current->mm)
> > +		return; /* execve failed, no additional info */
> > +
> > +	for (i = 0; i < axi->argc; i++, p += len) {
> > +		len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
> > +		/*
> > +		 * We just created this mm, if we can't find the strings
> > +		 * we just copied into it something is _very_ wrong. Similar
> > +		 * for strings that are too long, we should not have created
> > +		 * any.
> > +		 */
> > +		if (!len || len > MAX_ARG_STRLEN) {
> > +			WARN_ON(1);
> > +			send_sig(SIGKILL, current, 0);
> > +		}
> 
> Which is right here ^^^
> 
> Any ideas?

Not from the top of my head, like the comment suggests, its not supposed
to happen :-(. It would be interesting to know if i == 0, if so that
would suggest arg_start is fuzzed, if not something else has gone south.