From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH] name_count array overrun
Date: Thu, 7 Sep 2006 14:00:06 -0400
Message-ID: <200609071400.06853.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from discovery.boston.redhat.com (discovery.boston.redhat.com
	[172.16.80.171])
	by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id k87HxbJe027571
	for <linux-audit@redhat.com>; Thu, 7 Sep 2006 13:59:37 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello,

The below patch closes an unbounded use of name_count. This can lead to oopses
in some new file systems.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>


diff -urp linux-2.6.17.x86_64.orig/kernel/auditsc.c linux-2.6.17.x86_64/kernel/auditsc.c
--- linux-2.6.17.x86_64.orig/kernel/auditsc.c	2006-08-29 11:21:20.000000000 -0400
+++ linux-2.6.17.x86_64/kernel/auditsc.c	2006-08-29 15:15:28.000000000 -0400
@@ -1281,7 +1281,15 @@ void __audit_inode(const char *name, con
 		 * associated name? */
 		if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
 			return;
-		idx = context->name_count++;
+		idx = context->name_count;
+		if (context->name_count == (AUDIT_NAMES - 1)) {
+			printk(KERN_DEBUG
+				"name_count maxed and losing entry [%d]=%s\n",
+				context->name_count, 
+				context->names[context->name_count].name ?:
+				"(null)");
+		} else
+			context->name_count++;
 		context->names[idx].name = NULL;
 #if AUDIT_DEBUG
 		++context->ino_count;
@@ -1333,7 +1341,13 @@ void __audit_inode_child(const char *dna
 		}
 
 update_context:
-	idx = context->name_count++;
+	idx = context->name_count;
+	if (context->name_count == (AUDIT_NAMES - 1)) {
+		printk(KERN_DEBUG "name_count maxed and losing entry [%d]=%s\n",
+			context->name_count, 
+			context->names[context->name_count].name ?: "(null)");
+	} else
+		context->name_count++;
 #if AUDIT_DEBUG
 	context->ino_count++;
 #endif
@@ -1351,7 +1365,15 @@ update_context:
 	/* A parent was not found in audit_names, so copy the inode data for the
 	 * provided parent. */
 	if (!found_name) {
-		idx = context->name_count++;
+		idx = context->name_count;
+		if (context->name_count == (AUDIT_NAMES - 1)) {
+			printk(KERN_DEBUG 
+				"name_count maxed and losing entry [%d]=%s\n",
+				context->name_count, 
+				context->names[context->name_count].name ?:
+				"(null)");
+		} else
+			context->name_count++;
 #if AUDIT_DEBUG
 		context->ino_count++;
 #endif