public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: linux-audit@redhat.com
Cc: mchouque@free.fr, linux-kernel@vger.kernel.org
Subject: [PATCH 2/3] Audit: break a large single execve argument into smaller records
Date: Mon, 08 Oct 2007 17:34:04 -0400	[thread overview]
Message-ID: <1191879244.3132.42.camel@localhost.localdomain> (raw)

    support single arguments that are large, not just large lists of execve args.
    This also means we never have to get a kernel buffer larger than
    MAX_EXECVE_AUDIT_LEN no matter how large the argument is.  Before this patch
    we could need to allocate 32 consecutive pages to hold one argument which could
    pretty easily oom.
    
    a single argument larger than MAX_EXECVE_AUDIT_LEN is broken into multiple
    records and have a format like   a10[0] a10[1] a10[2] etc.
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
---

example audit log (about 50k long) for the whole patch series can be
found at http://people.redhat.com/~eparis/audit/audit.log the execve in
question was something like:

program_name [about 50 arguments] [one argument which is about 17k long] [about 1000 arguments]

 kernel/auditsc.c |   42 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4176db6..ffc8d4b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -853,6 +853,48 @@ static void audit_log_execve_info(struct audit_context *context,
 			send_sig(SIGKILL, current, 0);
 		}
 
+		if (unlikely(len > MAX_EXECVE_AUDIT_LEN)) {
+			/* deal with single arugments > MAX_EXECVE_AUDIT_LEN */
+			int j;
+			const long tmplen = sizeof(char) * MAX_EXECVE_AUDIT_LEN;
+
+			buf = kmalloc(tmplen + 1, GFP_KERNEL);
+			if (!buf) {
+				audit_panic("out of memory for argv string\n");
+				return;
+			}
+			buf[tmplen] = '\0';
+			for (j = 0; len > 0; j++) {
+				if (len > tmplen) {
+					ret = copy_from_user(buf, p, tmplen);
+					p += tmplen;
+					len -= tmplen;
+				} else {
+					ret = copy_from_user(buf, p, len);
+					/* p is at the next arg */
+					p += len;
+					/* 27 is the max length of a%d[%d] */
+					len_sent = len + 27;
+					len  = 0;
+				}
+				if (ret) {
+					WARN_ON(1);
+					send_sig(SIGKILL, current, 0);
+				}
+				audit_log_end(*ab);
+				*ab = audit_log_start(context, GFP_KERNEL,
+						      AUDIT_EXECVE);
+				if (!*ab) {
+					kfree(buf);
+					return;
+				}
+				audit_log_format(*ab, "a%d[%d]=", i, j);
+				audit_log_untrustedstring(*ab, buf);
+				audit_log_format(*ab, "\n");
+			}
+			continue;
+		}
+
 		buf = kmalloc(len, GFP_KERNEL);
 		if (!buf) {
 			audit_panic("out of memory for argv string\n");

                 reply	other threads:[~2007-10-08 21:34 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1191879244.3132.42.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchouque@free.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox