From: "Miloslav Trmač" <mitr@redhat.com>
To: John Dennis <jdennis@redhat.com>
Cc: Eric Paris <eparis@redhat.com>,
linux-audit <linux-audit@redhat.com>,
viro@zeniv.linux.org.uk,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
Date: Thu, 11 Sep 2008 22:03:06 +0200 [thread overview]
Message-ID: <1221163386.17533.52.camel@amilo> (raw)
In-Reply-To: <48C975D5.3020603@redhat.com>
John Dennis píše v Čt 11. 09. 2008 v 15:47 -0400:
> Miloslav Trmač wrote:
> > If the interface says "NUL-terminated string", any bytes after that are
> > not "actual data".
> Yes, that's correct. However, the function in question,
> audit_log_n_untrustedstring() is not an interface accepting a null
> terminated string, it accepts a count.
These options are not exclusive - see strnlen().
audit_log_n_untrustedstring(), as patched, follows that model exactly.
> > Yes, that's why it was wrong to use audit_*string() for TTY input data.
> > And the 2/2 patch fixes it - at the source of the problem, not in an
> > unrelated function that was incorrectly used.
> >
> This is true, but it's only part of the problem, the string functions
> still need to be robust, even used inappropriately.
They need to do what they promise in the first place, only then can they
possibly do something useful with invalid input. AUDIT_USER_TTY
messages, like all messages sent from user-space, are sent with a
trailing NUL. The contents of the message are (more or less) trusted,
it is perfectly reasonable to stop at first NUL.
audit_log_n_untrustedstring(), as patched, does exactly what is needed -
the length parameter is used only to make unrelated kernel data does not
appear in the audit record.
Now, given a function called fn(), either behavior (terminating at NUL,
or treating NUL as a control character) is valid, and AUDIT_USER_TTY
handling can be written for both behaviors of fn(). But given the
function is called ...untrustedstring, and "string" in C implies
NUL-terminated, I think it is more consistent to stop on NUL.
Mirek
next prev parent reply other threads:[~2008-09-11 20:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-10 22:23 [PATCH 1/2] audit: fix NUL handling in untrusted strings Miloslav Trmač
2008-09-11 14:25 ` Eric Paris
2008-09-11 14:43 ` Miloslav Trmač
[not found] ` <48C955C8.2000602@redhat.com>
2008-09-11 18:10 ` Miloslav Trmač
2008-09-11 18:15 ` Miloslav Trmač
2008-09-11 19:08 ` Steve Grubb
[not found] ` <48C96D90.70608@redhat.com>
2008-09-11 19:27 ` Miloslav Trmač
[not found] ` <48C975D5.3020603@redhat.com>
2008-09-11 20:03 ` Miloslav Trmač [this message]
2008-09-11 19:14 ` Andrew Morton
2008-09-11 19:37 ` Miloslav Trmač
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1221163386.17533.52.camel@amilo \
--to=mitr@redhat.com \
--cc=eparis@redhat.com \
--cc=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox