From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7CDBC432C3 for ; Sat, 16 Nov 2019 15:50:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 84B7820B7C for ; Sat, 16 Nov 2019 15:50:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573919427; bh=Mv4ZG/FKh2Sre3UqDdN6MVRYBL3K8PTWXp77f0CNeMQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=L93c3JBDI+Q7+0ko/cSQz9gRCNNfFSn2zBENfQCU2C5+xAqt/DkCjTk34kCd1vfRh WLOiW4MqEedQcGvao2McMAhtR2wqFDXdtFgJZI86RoukWEtb3SnzV8+y6U+xeToOWb U1FrRgC2IqwL8e9NMdgiwwQ5q8EFZt9t6hF08Cvc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730527AbfKPPu0 (ORCPT ); Sat, 16 Nov 2019 10:50:26 -0500 Received: from mail.kernel.org ([198.145.29.99]:58294 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728860AbfKPPuT (ORCPT ); Sat, 16 Nov 2019 10:50:19 -0500 Received: from sasha-vm.mshome.net (unknown [50.234.116.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 487F1208CE; Sat, 16 Nov 2019 15:50:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573919418; bh=Mv4ZG/FKh2Sre3UqDdN6MVRYBL3K8PTWXp77f0CNeMQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0MwXKgCHueyFAOqJRuz91kgR83pe6Vvdvi2EBqoQIsuyszfcHfSigT5VKn4oCbvld FiwrNmW15DUVGiyiJ9S+MXUD4uoD6uqPwIWtDw+zqxyha6jb+szg1zDll7qH2mwtiM 8pmk0rPtQMBblpz38mFJaslMdjKzu8bLFvHd25+o= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Richard Guy Briggs , Paul Moore , Sasha Levin Subject: [PATCH AUTOSEL 4.14 118/150] audit: print empty EXECVE args Date: Sat, 16 Nov 2019 10:46:56 -0500 Message-Id: <20191116154729.9573-118-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191116154729.9573-1-sashal@kernel.org> References: <20191116154729.9573-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Richard Guy Briggs [ Upstream commit ea956d8be91edc702a98b7fe1f9463e7ca8c42ab ] Empty executable arguments were being skipped when printing out the list of arguments in an EXECVE record, making it appear they were somehow lost. Include empty arguments as an itemized empty string. Reproducer: autrace /bin/ls "" "/etc" ausearch --start recent -m execve -i | grep EXECVE type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc With fix: type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc" Passes audit-testsuite. GH issue tracker at https://github.com/linux-audit/audit-kernel/issues/99 Signed-off-by: Richard Guy Briggs [PM: cleaned up the commit metadata] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 76d789d6cea06..ffa8d64f6fef4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1102,7 +1102,7 @@ static void audit_log_execve_info(struct audit_context *context, } /* write as much as we can to the audit log */ - if (len_buf > 0) { + if (len_buf >= 0) { /* NOTE: some magic numbers here - basically if we * can't fit a reasonable amount of data into the * existing audit buffer, flush it and start with -- 2.20.1