audit-0.6.2 released
Junji Kanemaru
linux at linuon.com
Sat Feb 12 11:10:20 UTC 2005
Stephen Smalley wrote:
>>Sort of. It fixes the one you saw. However, the corruption Peter was chasing
>>is probably not related. This was a userspace fix. I think there is a
>>separate kernel side one that's been discussed in the SE Linux mail list.
>
> Yes, we saw corruption in the SELinux avc messages prior to any use of
> auditd at all, when everything was still being handled by klogd.
>
This is my guess though line 356 and 372 in audit.c looks suspicious.
audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
" length=%d msg='%.1024s'",
pid, uid,
login->loginuid,
login->msglen,
login->msg);
It assumes msg is C string but guess if it is not. It tries to print 1024 byes
in worst case. It is probably safer change this line to:
audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
" length=%d msg='%.*s'",
pid, uid,
login->loginuid,
login->msglen,
login->msglen,
login->msg);
It won't be overhead since either way it passes length.
I noticed it a while back ago but didn't report it 'cuz I'm not 100%
sure if msg string null termination is always guaranteed or not.
If so then there could be some other kernel thread is stomping its tail...
Hope this helps.
-- Junji
More information about the Linux-audit
mailing list