From: Richard Guy Briggs <rgb@redhat.com>
To: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: security@kernel.org, linux-audit@redhat.com, "Krinke,
Jens" <j.krinke@ucl.ac.uk>
Subject: Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
Date: Mon, 20 Jun 2016 14:22:15 -0400 [thread overview]
Message-ID: <20160620182215.GC25615@madcap2.tricolour.ca> (raw)
In-Reply-To: <CACxtibRq2ddMeLh5V5tV5A2zKDHfZX1EcNaKPaKZZvxYP1ntGA@mail.gmail.com>
On 2016-06-20 14:50, Pengfei Wang wrote:
> Hello,
>
> I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I
> was examining the source code, which I think is a bug.
>
> In function audit_log_single_execve_arg(), the whole argument is
> fetched from user space twice via copy_from_user(). In the first loop,
> it is firstly fetched (line 1038) to verify, aka looking for non-ascii
> chars. While in the second loop, the whole argument is fetched again
> (line 1105) from user space and used at line 1121 and line 1123
> respectively depends on the previous verification.
>
> However, a double fetch problem happens when the user space fetched
> data is changed by a concurrently running user thread under race
> condition during the verification and the usage, and the data
> inconsistency will cause serious problems. In this case, the verified
> non-ascii argument from the first loop is likely to be changed to an
> ascii one (i.e. containing ‘ “ ’) which will be used in the second
> loop. Then the argument is passed to audit_log_string() as none-ascii,
> then move forward in audit_log_n_string() of file audit.c, the string
> is enclosed with quote marks as well. Since the string contains
> another quote mark in the middle, problems will happen when processing
> the string based on quote mark, e.g. the string will be recognized as
> a shorter one based on the middle quote mark. I believe other
> consequences are also likely to be caused once the none control string
> is treated as a control string, or vice versa, which is very likely to
> happen under double fetch situations.
This function is only ever called by __audit_free(), which is only ever
called on failure of task creation or on exit of the task, so in neither
case can anything else change it.
I don't think what you describe will ever happen.
> I am looking forward to a reply to confirm this, thank you!
>
> Kind regards
>
> Pengfei
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-06-20 18:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:50 Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c Pengfei Wang
2016-06-20 18:22 ` Richard Guy Briggs [this message]
2016-06-20 19:18 ` Oleg Nesterov
2016-06-21 9:37 ` Pengfei Wang
2016-06-21 9:51 ` Ben Hutchings
2016-06-21 18:14 ` Richard Guy Briggs
2016-06-21 18:20 ` Ben Hutchings
2016-06-21 19:18 ` Richard Guy Briggs
2016-06-21 19:59 ` Ben Hutchings
2016-06-21 20:31 ` Andy Lutomirski
2016-06-21 20:47 ` Richard Guy Briggs
2016-06-22 9:57 ` Pengfei Wang
2016-06-27 21:45 ` Paul Moore
2016-06-21 18:17 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160620182215.GC25615@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=j.krinke@ucl.ac.uk \
--cc=linux-audit@redhat.com \
--cc=security@kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox