[RFC PATCH] audit: correctly record file names with different path name types
hujianyang
hujianyang at huawei.com
Tue Dec 2 07:12:25 UTC 2014
On 2014/12/2 5:27, Paul Moore wrote:
> ---
> kernel/auditsc.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 21eae3c..ff99c05 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1886,12 +1886,18 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
> }
>
> out_alloc:
> - /* unable to find the name from a previous getname(). Allocate a new
> - * anonymous entry.
> - */
> - n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
> + /* unable to find an entry with both a matching name and type */
> + n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
> if (!n)
> return;
> + if (name)
> + /* since name is not NULL we know there is already a matching
> + * name record, see audit_getname(), so there must be a type
> + * mismatch; reuse the string path since the original name
> + * record will keep the string valid until we free it in
> + * audit_free_names() */
> + n->name = name;
> +
> out:
> if (parent) {
> n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
>
>
> .
>
Hi Paul,
Thanks for your work~! But I'm sorry to say I've tested this patch with
a kernel 3.10.53 and met a panic while booting. I think it's caused by
this patch.
Could you please take some time to look at this? Did I do something
wrong?
Thanks~!
Hu
INIT: Entering runlevel: 3
Starting OpenBSD Secure Shell server: sshd
done.
Starting audit daemon auditd
[ 25.257694] type=1305 audit(1417530900.169:2): audit_pid=1348 old=0 auid=4294967295 ses=4294967295
[ 25.257694] res=1
Starting domain name service: namedwrote key file "/etc/bind/rndc.key"
.
hwclock: can't open '/dev/misc/rtc': No such file or directory
Starting ntpd: done
Starting syslog-ng:[ 25.623155] Unable to handle kernel NULL pointer dereference at virtual address 00000001
[ 25.631287] pgd = c5a1c000
[ 25.633994] [00000001] *pgd=85880831, *pte=00000000, *ppte=00000000
[ 25.640295] Internal error: Oops: 17 [#1] SMP ARM
[ 25.644993] Modules linked in: ipv6
[ 25.648507] CPU: 0 PID: 1375 Comm: syslog-ng Not tainted 3.10.53 #1
[ 25.655286] task: ef34ac00 ti: c5ae6000 task.ti: c5ae6000
[ 25.660681] PC is at strlen+0xc/0x20
[ 25.664264] LR is at audit_compare_dname_path+0x20/0x68
[ 25.669484] pc : [<c01906f0>] lr : [<c007fe30>] psr: 600f0013
[ 25.669484] sp : c5ae7e58 ip : 00000000 fp : ef349c44
[ 25.680944] r10: 0000c1ed r9 : ef26c1a8 r8 : ee74ef0c
[ 25.686162] r7 : ee74eee0 r6 : 00000003 r5 : 00000001 r4 : 00000005
[ 25.692679] r3 : 00000002 r2 : 00000001 r1 : 00000000 r0 : 00000001
[ 25.699198] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 25.706323] Control: 18c53c7d Table: 85a1c04a DAC: 00000015
[ 25.712061] Process syslog-ng (pid: 1375, stack limit = 0xc5ae6238)
[ 25.718319] Stack: (0xc5ae7e58 to 0xc5ae8000)
[ 25.722672] 7e40: ef349c00 00000000
[ 25.730841] 7e60: ef349dd8 ee74eee0 ee74ef0c c0080504 ef26c1a8 00000004 00000004 ef26c1a8
[ 25.739009] 7e80: c5815680 ee74eee0 0000c1ed 00000000 00000001 0000c1ed 0000000b c00fa2c4
[ 25.747178] 7ea0: ef26c1a8 ee74eee0 dd79fc00 c5815680 00000000 ee74eee0 c581581c c02b6550
[ 25.755346] 7ec0: c5bfd015 c5bfd010 00000000 c048e000 ef26c1a8 00000001 00000002 c5ae6000
[ 25.763514] 7ee0: dd9b96d0 ee71ac38 c5ae7f18 eec45800 0000000b 01357070 0000011a c000e1e4
[ 25.771682] 7f00: c5ae6000 00000200 00000000 c022fcf4 00000000 00000000 642f0001 6c2f7665
[ 25.779850] 7f20: 0000676f dd7eb400 ef34ac00 c04a6270 c5ae7f48 c04a6368 00000001 c0081d14
[ 25.788016] 7f40: c5ae7f48 000000c3 ef349c00 ef349c00 00000001 0000011a ef349c00 00000001
[ 25.796183] 7f60: c5ae7f68 c0082108 547dce14 202fbeff 00000008 c5ae7f88 c5ae6000 0000011a
[ 25.804351] 7f80: 0000011a c001037c 0000000b 01357060 0000000b 01357060 01357060 00000008
[ 25.812520] 7fa0: beaf8a2c c000e1c8 01357060 00000008 00000008 01357070 0000000b 01357060
[ 25.820687] 7fc0: 01357060 00000008 beaf8a2c 0000011a 01350ba8 00000000 4fa97000 00000000
[ 25.828855] 7fe0: b6d8e870 beaf88ec b6f43ee0 b6d8e87c 600f0010 00000008 af7fd821 af7fdc21
[ 25.837031] [<c01906f0>] (strlen+0xc/0x20) from [<c007fe30>] (audit_compare_dname_path+0x20/0x68)
[ 25.845899] [<c007fe30>] (audit_compare_dname_path+0x20/0x68) from [<c0080504>] (__audit_inode_child+0x124/0x26c)
[ 25.856153] [<c0080504>] (__audit_inode_child+0x124/0x26c) from [<c00fa2c4>] (vfs_mknod+0x138/0x158)
[ 25.865285] [<c00fa2c4>] (vfs_mknod+0x138/0x158) from [<c02b6550>] (unix_bind+0x114/0x2b8)
[ 25.873552] [<c02b6550>] (unix_bind+0x114/0x2b8) from [<c022fcf4>] (SyS_bind+0x5c/0x80)
[ 25.881556] [<c022fcf4>] (SyS_bind+0x5c/0x80) from [<c000e1c8>] (__sys_trace_return+0x0/0x18)
[ 25.890072] Code: c02f1948 e1a03000 e1a02003 e2833001 (e5d21000)
[ 25.896176] ---[ end trace 2f04133705b763f6 ]---
[ 25.900790] Kernel panic - not syncing: Fatal exception
More information about the Linux-audit
mailing list