[PATCH] Reporting file descriptors and exec args
Alexander Viro
aviro at redhat.com
Tue Sep 12 21:31:02 UTC 2006
On Tue, Sep 12, 2006 at 04:49:47PM -0400, John D. Ramsdell wrote:
> +static const char *elide(const char *str)
> +{
> + static char buf[1025];
> +
> + if (strnlen(str, 1025) >= 1025) {
> + memcpy(buf, str, 1021);
> + buf[1021] = '.';
> + buf[1022] = '.';
> + buf[1023] = '.';
> + buf[1024] = '\0';
> + return buf;
> + }
> +
> + return str;
> +}
... serialized by...?
> static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
> {
> int i;
> @@ -820,6 +851,16 @@ static void audit_log_exit(struct audit_
> audit_log_format(ab, " success=%s exit=%ld",
> (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
> context->return_code);
> +
> + switch (context->major) {
> + case __NR_open:
> + audit_log_format(ab, " filename=");
> + audit_log_untrustedstring(ab,
> + elide((const char *)context->argv[0]));
Oh, lovely. So let me see if I've got it right - now anybody can trigger
reading from any location in kernel memory. Including iomem. Or not mapped
address range - less interesting (oops instead of mangling hardware), but
easier to guess.
BTW, you still have problem with __NR_open on biarch targets...
More information about the Linux-audit
mailing list