From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: the format string of printf to print audit status is wrong
Date: Thu, 31 Jul 2008 09:07:30 -0400
Message-ID: <1217509651.2902.86.camel@localhost.localdomain>
References: <489148A4.3050807@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <489148A4.3050807@cn.fujitsu.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Yu Zhiguo <yuzg@cn.fujitsu.com>
Cc: audit-list <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Thu, 2008-07-31 at 13:07 +0800, Yu Zhiguo wrote:
> Hello Steve,
> 
>   all audit status's type is __u32, so '%u' should be used
> in format string of printf rather than '%d', otherwise the
> value outputted to user will be wraparound.
> 
>   For example:
>   # auditctl -r 4294967295
>   AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=-1 backlog_limit=320 
> lost=2241 backlog=0
> 
> but it should be
>   # auditctl -r 4294967295
>   AUDIT_STATUS: enabled=1 flag=1 pid=8999 rate_limit=4294967295 
> backlog_limit=320 lost=2270 backlog=0
> 
> 
>   This is the patch. Can you apply it?
> 
> Signed-off-by: Yu Zhiguo<yuzg@cn.fujitsu.com>
> ---
>   src/auditctl.c |    4 ++--
>   1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/auditctl.c b/src/auditctl.c
> index d740509..5416e9b 100644
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -1349,8 +1349,8 @@ static int audit_print_reply(struct audit_reply *rep)
>   			printed = 1;
>   			return 0;
>   		case AUDIT_GET:
> -			printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
> -			" rate_limit=%d backlog_limit=%d lost=%d backlog=%d\n",
> +			printf("AUDIT_STATUS: enabled=%u flag=%u pid=%u"
> +			" rate_limit=%u backlog_limit=%u lost=%u backlog=%u\n",

In kernel the types are:
int             audit_enabled;
static int      audit_failure = AUDIT_FAIL_PRINTK;
typedef int     __kernel_pid_t;
static int      audit_rate_limit;
static int      audit_backlog_limit = 64;
static atomic_t audit_lost = ATOMIC_INIT(0);    (atomic_t is just volatile int)

backlog comes from:
static inline __u32 skb_queue_len()


So it seems reasonable to switch backlog=%d to backlog=%u but all of the
other values "could" be negative and should be shown as ints.

-Eric