From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Morton Subject: Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings Date: Thu, 11 Sep 2008 12:14:43 -0700 Message-ID: <20080911121443.c3153842.akpm@linux-foundation.org> References: <1221085418.2705.19.camel@amilo> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1221085418.2705.19.camel@amilo> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Miloslav =?ISO-8859-1?Q?Trma=5F=5F?= Cc: linux-audit@redhat.com, viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org List-Id: linux-audit@redhat.com On Thu, 11 Sep 2008 00:23:38 +0200 Miloslav Trma__ wrote: > audit_string_contains_control() stops checking at the first NUL byte. > If audit_string_contains_control() returns FALSE, > audit_log_n_untrustedstring() submits the complete string - including > the NUL byte and all following bytes, up to the specified maximum length > - to audit_log_n_string(), which copies the data unchanged into the > audit record. > > The audit record can thus contain a NUL byte (and some unchecked data > after that). Because the user-space audit daemon treats audit records > as NUL-terminated strings, an untrusted string that is shorter than the > specified maximum length effectively terminates the audit record. > > This patch modifies audit_log_n_untrustedstring() to only log the data > before the first NUL byte, if any. It's unclear how serious this problem is. Do you believe that it is sufficiently serious to warrant merging these fixes into 2.6.27? 2.6.26.x? 2.6.25.x? Thanks.