bug?: audit filtering on negative values

Wed Jan 18 20:21:56 UTC 2006

On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> What kernel are you testing on?  I just checked the latest kernel
> (lspp.6) and this does look like a problem:
>
> struct audit_field {
>         u32                     type;
>         u32                     val;
>         u32                     op;
> };
>
>
> We only allow unsigned val(ues).  Eek

Right and that's because this is what the context stores:

129 struct audit_context {
136         unsigned long       argv[4];    /* syscall arguments */

-Steve