Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: security@kernel.org, linux-audit@redhat.com, "Krinke,
	Jens" <j.krinke@ucl.ac.uk>
Subject: Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
Date: Mon, 20 Jun 2016 14:22:15 -0400	[thread overview]
Message-ID: <20160620182215.GC25615@madcap2.tricolour.ca> (raw)
In-Reply-To: <CACxtibRq2ddMeLh5V5tV5A2zKDHfZX1EcNaKPaKZZvxYP1ntGA@mail.gmail.com>

On 2016-06-20 14:50, Pengfei Wang wrote:
> Hello,
> 
> I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I
> was examining the source code, which I think is a bug.
> 
> In function audit_log_single_execve_arg(), the whole argument is
> fetched from user space twice via copy_from_user(). In the first loop,
> it is firstly fetched (line 1038) to verify, aka looking for non-ascii
> chars. While in the second loop, the whole argument is fetched again
> (line 1105) from user space and used at line 1121 and line 1123
> respectively depends on the previous verification.
> 
> However, a double fetch problem happens when the user space fetched
> data is changed by a concurrently running user thread under race
> condition during the verification and the usage, and the data
> inconsistency will cause serious problems. In this case, the verified
> non-ascii argument from the first loop is likely to be changed to an
> ascii one (i.e. containing ‘ “ ’)  which will be used in the second
> loop. Then the argument is passed to audit_log_string() as none-ascii,
> then move forward in audit_log_n_string() of file audit.c, the string
> is enclosed with quote marks as well. Since the string contains
> another quote mark in the middle, problems will happen when processing
> the string based on quote mark, e.g. the string will be recognized as
> a shorter one based on the middle quote mark. I believe other
> consequences are also likely to be caused once the none control string
> is treated as a control string, or vice versa, which is very likely to
> happen under double fetch situations.

This function is only ever called by __audit_free(), which is only ever
called on failure of task creation or on exit of the task, so in neither
case can anything else change it.

I don't think what you describe will ever happen.

> I am looking forward to a reply to confirm this, thank you!
> 
> Kind regards
> 
> Pengfei

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2016-06-20 18:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-20 13:50 Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c Pengfei Wang
2016-06-20 18:22 ` Richard Guy Briggs [this message]
2016-06-20 19:18   ` Oleg Nesterov
2016-06-21  9:37     ` Pengfei Wang
2016-06-21  9:51       ` Ben Hutchings
2016-06-21 18:14         ` Richard Guy Briggs
2016-06-21 18:20           ` Ben Hutchings
2016-06-21 19:18             ` Richard Guy Briggs
2016-06-21 19:59               ` Ben Hutchings
2016-06-21 20:31                 ` Andy Lutomirski
2016-06-21 20:47                   ` Richard Guy Briggs
2016-06-22  9:57                     ` Pengfei Wang
2016-06-27 21:45                       ` Paul Moore
2016-06-21 18:17       ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160620182215.GC25615@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=j.krinke@ucl.ac.uk \
    --cc=linux-audit@redhat.com \
    --cc=security@kernel.org \
    --cc=wpengfeinudt@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox