[PATCH] Untrusted string logging

[Steve Grubb]

Hello,

As I was working on the new parsers for ausearch, I ran across some issues 
with untrusted string logging. Attached is a patch to fix this. Let me go 
over them as they appear in the patch.

* In audit_log_vformat, we expand the skb just enough memory to cover current 
needs. There's no hysteresis. Imagine a call to log untrusted string passing 
a string of 4024 bytes and has a space in it. We will make 3000 calls to 
reallocate the buffer since audit_log_hex calls audit_log_vformat for every 
character it needs to convert. This is fixed by allocating in multiples of 
AUDIT_BUFSIZ.

* If vsnprintf returns -1, it will mess up the sk buffer space accounting. 
This is fixed by not calling skb_put with bogus len values.

* audit_log_hex was a loop that called audit_log_vformat with %02X for each 
character. This is very inefficient since conversion from unsigned character 
to Ascii representation is essentially masking, shifting, and byte lookups. 
Also, the length of the converted string is well known - its twice the 
original. Fixed by rewriting the function.

*audit_log_untrustedstring had no comments. This makes it hard for someone to 
understand what the string format will be.

* audit_log_d_path was never fixed to use untrustedstring. This could mess up 
user space parsers. This was fixed to make a temp buffer, call d_path, and 
log temp buffer using untrustedstring.

*avc messages print the comm string without escaping. This was not fixed when 
we introduced untrustedstring and modified auditsc.c.

-Steve Grubb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.9-audit-untrusted.patch
Type: text/x-diff
Size: 4445 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050512/f4c3ba0b/attachment.bin>