[patch 058/209] audit: rework execve audit
Alexander Viro
aviro at redhat.com
Fri Jul 27 20:50:30 UTC 2007
On Fri, Jul 27, 2007 at 04:13:10PM -0400, Steve Grubb wrote:
> > + len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
> > + /*
> > + * We just created this mm, if we can't find the strings
> > + * we just copied into it something is _very_ wrong. Similar
> > + * for strings that are too long, we should not have created
> > + * any.
> > + */
> > + if (!len || len > MAX_ARG_STRLEN) {
> > + WARN_ON(1);
> > + send_sig(SIGKILL, current, 0);
> > + }
>
> Which is right here ^^^
>
> Any ideas?
Empty string in the middle of argv? Quite legal...
; cat foo.c
#include <stdio.h>
main(int argc, char **argv)
{
while (argc--) {
printf("<%d:%s>", strlen(*argv), *argv);
argv++;
}
printf("\n");
return 0;
}
; gcc foo.c
; ./a.out a b
<7:./a.out><1:a><1:b>
; ./a.out a "" b
<7:./a.out><1:a><0:><1:b>
;
IOW, it's trivial to arrange - len can be 0 just fine...
More information about the Linux-audit
mailing list