linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* Two small errors in ausearch-parse.c
@ 2015-10-03 23:13 Emily Ratliff
  2015-10-06 15:47 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Emily Ratliff @ 2015-10-03 23:13 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 753 bytes --]

While testing usage of some tools, I stumbled across two small errors in
ausearch-parse.c. I have attached two patches
end-fix.patch fixes the segfaults which can be found by running
ausearch -m USER_AUTH,USER_ACCT --success no --if end-986-dump.log
and
ausearch -m USER_AUTH,USER_ACCT --success no --if error-ausearch.log

term-segfault.patch fixes the errors that can be found by running
aureport -if corrupt-log-for-aureport.log
and
ausearch -m USER_AUTH,USER_ACCT --success no --if
corrupt-log-for-ausearch.log

The erroneous log files were produced using zzuf. The corrupted log files
are also attached. It is unlikely that a user will encounter corrupted
audit log files in the wild, so these bugs aren't serious, but they are
easy to fix.

Emily

[-- Attachment #1.2: Type: text/html, Size: 922 bytes --]

[-- Attachment #2: end-fix.patch --]
[-- Type: text/x-patch, Size: 425 bytes --]

diff -Naurp audit-2.4.4.old/src/ausearch-parse.c audit-2.4.4/src/ausearch-parse.c
--- audit-2.4.4.old/src/ausearch-parse.c	2015-09-21 10:55:43.799602931 -0500
+++ audit-2.4.4/src/ausearch-parse.c	2015-09-21 11:08:15.842117361 -0500
@@ -983,7 +983,7 @@ skip:
 			char *end = ptr;
 			int legacy = 0;
 
-			while (*end != ' ') {
+			while (*end != ' ' && *end != '\0') {
 				if (!isxdigit(*end))
 					legacy = 1;
 				end++;

[-- Attachment #3: term-segfault.patch --]
[-- Type: text/x-patch, Size: 431 bytes --]

diff -Naurp audit-2.4.4.old/src/ausearch-parse.c audit-2.4.4/src/ausearch-parse.c
--- audit-2.4.4.old/src/ausearch-parse.c	2015-09-21 08:12:22.554729726 -0500
+++ audit-2.4.4/src/ausearch-parse.c	2015-09-21 08:12:33.898513475 -0500
@@ -971,7 +971,7 @@ skip:
 		ptr = str + 5;
 		term = ptr + 1;
 		if (*ptr == '"') {
-			while (*term != '"')
+			while (*term != '"' && *term != '\0')
 				term++;
 			saved = *term;
 			*term = 0;

[-- Attachment #4: corrupt-log-for-aureport.log --]
[-- Type: text/x-log, Size: 264 bytes --]

type=CRED_ACQ msg=audit(1442516413.108:311): pid=853 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_permit acct="gdm  exe=/usr/libexec/gdm-session-worker hostname=? addr=? terminal=? res=success'


[-- Attachment #5: corrupt-log-for-ausearch.log --]
[-- Type: text/x-log, Size: 274 bytes --]

tYpe=CRED_DISP mqg=aud­t(\x11442\x1516416.256:441):(0kd=853 ukd=0 auid=4294967295 ses=4294967295 spbj=systmm_5:system_2:xdm_t:s0-s0>c°.c1023 }sG='kp=PAM:setcRed grandors=pam_permit acct="gdm\0(exe="/eóv/licexec¯wdm-cåssioo-worker" hnótnaeE<? a`tr=? terminal=/dev/tty1 res?suckecs&

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #6: end-986-dump.log --]
[-- Type: text/x-log; charset=US-ASCII; name="end-986-dump.log", Size: 273 bytes --]

tùpe=USER_AUTH msg=audit(1442516432.955:308): pid=853 uid50 awid=4294977295 weS=4294y67295 sq`j={y{tem_u:syótem_r:xdm_t:s0-s°;c0.c3023 msg='op=PAEºauthentication$crantors=pam_permit acct=\0g$m" exa="/uSr/lifexec/g`m-session-workar" hostname=? addr=?"terminal=? res=success'

[-- Attachment #7: error-ausearch.log --]
[-- Type: text/x-log, Size: 259 bytes --]

typu=GRP_MGMT mrg<audht(144\x12%17228.9"2:\x1535): pid=4418 uid<0 a5id=1020 3es=1 subj=unconfmned_u:unconfined_r:grotpa`e_t:s0-s0:c°.c1023 móg}/op=changinc-group(grq="rpc5ser" gid=\x129 acct=rrpquseR"\0exe="/usr/óãin/gBoupmod" hostname-? addr== terminal=? res=swccess'

[-- Attachment #8: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Two small errors in ausearch-parse.c
  2015-10-03 23:13 Two small errors in ausearch-parse.c Emily Ratliff
@ 2015-10-06 15:47 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2015-10-06 15:47 UTC (permalink / raw)
  To: linux-audit

On Saturday, October 03, 2015 06:13:16 PM Emily Ratliff wrote:
> While testing usage of some tools, I stumbled across two small errors in
> ausearch-parse.c. I have attached two patches

Thanks. Applied.

> end-fix.patch fixes the segfaults which can be found by running
> ausearch -m USER_AUTH,USER_ACCT --success no --if end-986-dump.log
> and
> ausearch -m USER_AUTH,USER_ACCT --success no --if error-ausearch.log
> 
> term-segfault.patch fixes the errors that can be found by running
> aureport -if corrupt-log-for-aureport.log
> and
> ausearch -m USER_AUTH,USER_ACCT --success no --if
> corrupt-log-for-ausearch.log
> 
> The erroneous log files were produced using zzuf. The corrupted log files
> are also attached. It is unlikely that a user will encounter corrupted
> audit log files in the wild, so these bugs aren't serious, but they are
> easy to fix.

I would agree. The fixes were in a place where an intial " was found and it was 
looking for the terminating one. Its highly unlikely this would ever be 
encountered in the wild because libaudit would typically handle the writing of 
that ".

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-10-06 15:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-03 23:13 Two small errors in ausearch-parse.c Emily Ratliff
2015-10-06 15:47 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).