From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Viro <aviro@redhat.com>
Subject: Re: [patch 058/209] audit: rework execve audit
Date: Fri, 27 Jul 2007 16:50:30 -0400
Message-ID: <20070727205030.GE13539@devserv.devel.redhat.com>
References: <200707190848.l6J8mFQf023098@imap1.linux-foundation.org>
	<200707271613.10753.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200707271613.10753.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, aaw@google.com, a.p.zijlstra@chello.nl
List-Id: linux-audit@redhat.com

On Fri, Jul 27, 2007 at 04:13:10PM -0400, Steve Grubb wrote:
> > +		len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
> > +		/*
> > +		 * We just created this mm, if we can't find the strings
> > +		 * we just copied into it something is _very_ wrong. Similar
> > +		 * for strings that are too long, we should not have created
> > +		 * any.
> > +		 */
> > +		if (!len || len > MAX_ARG_STRLEN) {
> > +			WARN_ON(1);
> > +			send_sig(SIGKILL, current, 0);
> > +		}
> 
> Which is right here ^^^
> 
> Any ideas?

Empty string in the middle of argv?  Quite legal...
; cat foo.c
#include <stdio.h>
main(int argc, char **argv)
{
	while (argc--) {
		printf("<%d:%s>", strlen(*argv), *argv);
		argv++;
	}
	printf("\n");
	return 0;
}
; gcc foo.c
; ./a.out a b
<7:./a.out><1:a><1:b>
; ./a.out a "" b
<7:./a.out><1:a><0:><1:b>
;

IOW, it's trivial to arrange - len can be 0 just fine...