[RFC PATCH] audit: correctly record file names with different path name types

hujianyang hujianyang at huawei.com
Tue Dec 2 07:12:25 UTC 2014 

On 2014/12/2 5:27, Paul Moore wrote:
> ---
>  kernel/auditsc.c |   14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 21eae3c..ff99c05 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1886,12 +1886,18 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
>  	}
>  
>  out_alloc:
> -	/* unable to find the name from a previous getname(). Allocate a new
> -	 * anonymous entry.
> -	 */
> -	n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
> +	/* unable to find an entry with both a matching name and type */
> +	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
>  	if (!n)
>  		return;
> +	if (name)
> +		/* since name is not NULL we know there is already a matching
> +		 * name record, see audit_getname(), so there must be a type
> +		 * mismatch; reuse the string path since the original name
> +		 * record will keep the string valid until we free it in
> +		 * audit_free_names() */
> +		n->name = name;
> +
>  out:
>  	if (parent) {
>  		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
> 
> 
> .
> 

Hi Paul,

Thanks for your work~! But I'm sorry to say I've tested this patch with
a kernel 3.10.53 and met a panic while booting. I think it's caused by
this patch.

Could you please take some time to look at this? Did I do something
wrong?


Thanks~!

Hu


INIT: Entering runlevel: 3
Starting OpenBSD Secure Shell server: sshd
done.
Starting audit daemon auditd
[   25.257694] type=1305 audit(1417530900.169:2): audit_pid=1348 old=0 auid=4294967295 ses=4294967295
[   25.257694]  res=1
Starting domain name service: namedwrote key file "/etc/bind/rndc.key"
.
hwclock: can't open '/dev/misc/rtc': No such file or directory
Starting ntpd: done
Starting syslog-ng:[   25.623155] Unable to handle kernel NULL pointer dereference at virtual address 00000001
[   25.631287] pgd = c5a1c000
[   25.633994] [00000001] *pgd=85880831, *pte=00000000, *ppte=00000000
[   25.640295] Internal error: Oops: 17 [#1] SMP ARM
[   25.644993] Modules linked in: ipv6
[   25.648507] CPU: 0 PID: 1375 Comm: syslog-ng Not tainted 3.10.53 #1
[   25.655286] task: ef34ac00 ti: c5ae6000 task.ti: c5ae6000
[   25.660681] PC is at strlen+0xc/0x20
[   25.664264] LR is at audit_compare_dname_path+0x20/0x68
[   25.669484] pc : [<c01906f0>]    lr : [<c007fe30>]    psr: 600f0013
[   25.669484] sp : c5ae7e58  ip : 00000000  fp : ef349c44
[   25.680944] r10: 0000c1ed  r9 : ef26c1a8  r8 : ee74ef0c
[   25.686162] r7 : ee74eee0  r6 : 00000003  r5 : 00000001  r4 : 00000005
[   25.692679] r3 : 00000002  r2 : 00000001  r1 : 00000000  r0 : 00000001
[   25.699198] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   25.706323] Control: 18c53c7d  Table: 85a1c04a  DAC: 00000015
[   25.712061] Process syslog-ng (pid: 1375, stack limit = 0xc5ae6238)
[   25.718319] Stack: (0xc5ae7e58 to 0xc5ae8000)
[   25.722672] 7e40:                                                       ef349c00 00000000
[   25.730841] 7e60: ef349dd8 ee74eee0 ee74ef0c c0080504 ef26c1a8 00000004 00000004 ef26c1a8
[   25.739009] 7e80: c5815680 ee74eee0 0000c1ed 00000000 00000001 0000c1ed 0000000b c00fa2c4
[   25.747178] 7ea0: ef26c1a8 ee74eee0 dd79fc00 c5815680 00000000 ee74eee0 c581581c c02b6550
[   25.755346] 7ec0: c5bfd015 c5bfd010 00000000 c048e000 ef26c1a8 00000001 00000002 c5ae6000
[   25.763514] 7ee0: dd9b96d0 ee71ac38 c5ae7f18 eec45800 0000000b 01357070 0000011a c000e1e4
[   25.771682] 7f00: c5ae6000 00000200 00000000 c022fcf4 00000000 00000000 642f0001 6c2f7665
[   25.779850] 7f20: 0000676f dd7eb400 ef34ac00 c04a6270 c5ae7f48 c04a6368 00000001 c0081d14
[   25.788016] 7f40: c5ae7f48 000000c3 ef349c00 ef349c00 00000001 0000011a ef349c00 00000001
[   25.796183] 7f60: c5ae7f68 c0082108 547dce14 202fbeff 00000008 c5ae7f88 c5ae6000 0000011a
[   25.804351] 7f80: 0000011a c001037c 0000000b 01357060 0000000b 01357060 01357060 00000008
[   25.812520] 7fa0: beaf8a2c c000e1c8 01357060 00000008 00000008 01357070 0000000b 01357060
[   25.820687] 7fc0: 01357060 00000008 beaf8a2c 0000011a 01350ba8 00000000 4fa97000 00000000
[   25.828855] 7fe0: b6d8e870 beaf88ec b6f43ee0 b6d8e87c 600f0010 00000008 af7fd821 af7fdc21
[   25.837031] [<c01906f0>] (strlen+0xc/0x20) from [<c007fe30>] (audit_compare_dname_path+0x20/0x68)
[   25.845899] [<c007fe30>] (audit_compare_dname_path+0x20/0x68) from [<c0080504>] (__audit_inode_child+0x124/0x26c)
[   25.856153] [<c0080504>] (__audit_inode_child+0x124/0x26c) from [<c00fa2c4>] (vfs_mknod+0x138/0x158)
[   25.865285] [<c00fa2c4>] (vfs_mknod+0x138/0x158) from [<c02b6550>] (unix_bind+0x114/0x2b8)
[   25.873552] [<c02b6550>] (unix_bind+0x114/0x2b8) from [<c022fcf4>] (SyS_bind+0x5c/0x80)
[   25.881556] [<c022fcf4>] (SyS_bind+0x5c/0x80) from [<c000e1c8>] (__sys_trace_return+0x0/0x18)
[   25.890072] Code: c02f1948 e1a03000 e1a02003 e2833001 (e5d21000)
[   25.896176] ---[ end trace 2f04133705b763f6 ]---
[   25.900790] Kernel panic - not syncing: Fatal exception

More information about the Linux-audit mailing list