[RFC][PATCH 3/3] audit: Audit proc cmdline value
William Roberts
bill.c.roberts at gmail.com
Mon Jan 6 17:30:31 UTC 2014
On Mon, Jan 6, 2014 at 9:08 AM, Mateusz Guzik <mguzik at redhat.com> wrote:
> I can't comment on the concept, but have one nit.
FYI: The concept is something that has been in the works and at least ackd on
by the current maintainer of audit:
http://marc.info/?l=linux-kernel&m=138660320704580&w=2
>
> On Mon, Jan 06, 2014 at 07:30:30AM -0800, William Roberts wrote:
>> +static void audit_log_cmdline(struct audit_buffer *ab, struct task_struct *tsk,
>> + struct audit_context *context)
>> +{
>> + int res;
>> + char *buf;
>> + char *msg = "(null)";
>> + audit_log_format(ab, " cmdline=");
>> +
>> + /* Not cached */
>> + if (!context->cmdline) {
>> + buf = kmalloc(PATH_MAX, GFP_KERNEL);
>> + if (!buf)
>> + goto out;
>> + res = get_cmdline(tsk, buf, PATH_MAX);
>> + /* Ensure NULL terminated */
>> + if (buf[res-1] != '\0')
>> + buf[res-1] = '\0';
>
> This accesses memory below the buffer if get_cmdline returned 0, which I
> believe will be the case when someone jokingly unmaps the area (all
> maybe when it is swapped out but can't be swapped in due to I/O errors).
>
Yeah that's not a nit, that's a serious issue and I will correct. Thanks.
> Also since you are just putting 0 in there anyway I don't see much point
> in testing for it.
>
>> + context->cmdline = buf;
>> + }
>> + msg = context->cmdline;
>> +out:
>> + audit_log_untrustedstring(ab, msg);
>> +}
>> +
>
>
>
> --
> Mateusz Guzik
--
Respectfully,
William C Roberts
More information about the Linux-audit
mailing list