From: John Dennis <jdennis@redhat.com>
To: "Miloslav Trmač" <mitr@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>,
viro@zeniv.linux.org.uk,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
Date: Thu, 11 Sep 2008 15:12:16 -0400 [thread overview]
Message-ID: <48C96D90.70608@redhat.com> (raw)
In-Reply-To: <1221156612.17533.14.camel@amilo>
[-- Attachment #1.1: Type: text/plain, Size: 1656 bytes --]
Miloslav Trmač wrote:
> John Dennis píše v Čt 11. 09. 2008 v 13:30 -0400:
>
>> Special processing with regards to the presence or absence of a null
>> byte is one example of prohibited interpretation.
>>
> This is UNIX, "string" means "NUL-terminated string" (in fact the
> presence of a NUL byte is the only way to reasonably detect binary
> data).
>
>
A primary purpose of the audit system is to log with the greatest
accuracy possible the actual data. If that data somehow contained a
null, even in a context in which a null would have been prohibited, the
audit system absolutely needs to be able to correctly record that
aberrant event and it's actual data. If the audit system failed at that
moment it's failing at the worst possible moment, the moment when you're
looking for bad data.
A UNIX-like operating system does not in and of itself mandate the
default conventions of the C programming language. A great danger and
the source of bugs is making assumptions concerning how to interpret
octet sequences. By far and away the worst possible place to make a
mistake handling an octet sequence is in the kernel. It would be wrong
for the audit system to assume the memory block it was pointed to only
ever contained null terminated ascii strings, especially when the memory
block is terminated by virtue of an octet count.
> You're far more likely to encounter a fixed-length field with an
> optional terminating NUL (like the old-style, 16-byte directory entries)
> than an ASCII-compatible string that intentionally contains a NUL byte.
>
--
John Dennis <jdennis@redhat.com>
[-- Attachment #1.2: Type: text/html, Size: 2274 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2008-09-11 19:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-10 22:23 [PATCH 1/2] audit: fix NUL handling in untrusted strings Miloslav Trmač
2008-09-11 14:25 ` Eric Paris
2008-09-11 14:43 ` Miloslav Trmač
2008-09-11 17:30 ` John Dennis
2008-09-11 18:10 ` Miloslav Trmač
2008-09-11 18:15 ` Miloslav Trmač
2008-09-11 19:08 ` Steve Grubb
2008-09-11 19:19 ` John Dennis
2008-09-11 19:12 ` John Dennis [this message]
2008-09-11 19:27 ` Miloslav Trmač
2008-09-11 19:47 ` John Dennis
2008-09-11 20:03 ` Miloslav Trmač
2008-09-11 19:14 ` Andrew Morton
2008-09-11 19:37 ` Miloslav Trmač
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C96D90.70608@redhat.com \
--to=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mitr@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox