From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: [PATCH] name_count array overrun Date: Thu, 7 Sep 2006 16:43:22 -0400 Message-ID: <20060907204322.GA12003@fc.hp.com> References: <200609071400.06853.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k87Khawm021760 for ; Thu, 7 Sep 2006 16:43:36 -0400 Received: from atlrel6.hp.com (atlrel6.hp.com [156.153.255.205]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k87KhaGP024321 for ; Thu, 7 Sep 2006 16:43:36 -0400 Received: from smtp1.fc.hp.com (smtp-test.fc.hp.com [15.15.136.127]) by atlrel6.hp.com (Postfix) with ESMTP id 1DFCB35A35 for ; Thu, 7 Sep 2006 16:43:31 -0400 (EDT) Received: from ldl.fc.hp.com (ldl.fc.hp.com [15.11.146.30]) by smtp1.fc.hp.com (Postfix) with ESMTP id EC3667A0ED for ; Thu, 7 Sep 2006 20:43:30 +0000 (UTC) Received: from localhost (ldl.lart [127.0.0.1]) by ldl.fc.hp.com (Postfix) with ESMTP id C2D851344C5 for ; Thu, 7 Sep 2006 14:43:30 -0600 (MDT) Received: from ldl.fc.hp.com ([127.0.0.1]) by localhost (ldl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02776-09 for ; Thu, 7 Sep 2006 14:43:27 -0600 (MDT) Content-Disposition: inline In-Reply-To: <200609071400.06853.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: [Thu Sep 07 2006, 02:00:06PM EDT] > Hello, > > The below patch closes an unbounded use of name_count. This can lead to oopses > in some new file systems. > > Signed-off-by: Steve Grubb > > > diff -urp linux-2.6.17.x86_64.orig/kernel/auditsc.c linux-2.6.17.x86_64/kernel/auditsc.c > --- linux-2.6.17.x86_64.orig/kernel/auditsc.c 2006-08-29 11:21:20.000000000 -0400 > +++ linux-2.6.17.x86_64/kernel/auditsc.c 2006-08-29 15:15:28.000000000 -0400 > @@ -1281,7 +1281,15 @@ void __audit_inode(const char *name, con > * associated name? */ > if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) > return; What about this conditional, which translates to context->name_count >= 13? Leaving the code as is means we'll never reach the new printk below, where context->name_count == 19. > - idx = context->name_count++; > + idx = context->name_count; > + if (context->name_count == (AUDIT_NAMES - 1)) { > + printk(KERN_DEBUG > + "name_count maxed and losing entry [%d]=%s\n", > + context->name_count, > + context->names[context->name_count].name ?: > + "(null)"); This is a little misleading, since the first time we hit it, we haven't lost anything yet. We're only losing data on the second and following times we hit it. Did you consider just dropping any data encountered after we've filled AUDIT_NAMES, instead of copying over the data for the last element? > + } else > + context->name_count++; > context->names[idx].name = NULL; > #if AUDIT_DEBUG > ++context->ino_count; > @@ -1333,7 +1341,13 @@ void __audit_inode_child(const char *dna > } > > update_context: > - idx = context->name_count++; > + idx = context->name_count; > + if (context->name_count == (AUDIT_NAMES - 1)) { > + printk(KERN_DEBUG "name_count maxed and losing entry [%d]=%s\n", > + context->name_count, > + context->names[context->name_count].name ?: "(null)"); > + } else > + context->name_count++; > #if AUDIT_DEBUG > context->ino_count++; > #endif > @@ -1351,7 +1365,15 @@ update_context: > /* A parent was not found in audit_names, so copy the inode data for the > * provided parent. */ > if (!found_name) { > - idx = context->name_count++; > + idx = context->name_count; > + if (context->name_count == (AUDIT_NAMES - 1)) { > + printk(KERN_DEBUG > + "name_count maxed and losing entry [%d]=%s\n", > + context->name_count, > + context->names[context->name_count].name ?: > + "(null)"); > + } else > + context->name_count++; > #if AUDIT_DEBUG > context->ino_count++; > #endif > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >