Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c

Richard Guy Briggs rgb at redhat.com
Mon Jun 20 18:22:15 UTC 2016 

On 2016-06-20 14:50, Pengfei Wang wrote:
> Hello,
> 
> I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I
> was examining the source code, which I think is a bug.
> 
> In function audit_log_single_execve_arg(), the whole argument is
> fetched from user space twice via copy_from_user(). In the first loop,
> it is firstly fetched (line 1038) to verify, aka looking for non-ascii
> chars. While in the second loop, the whole argument is fetched again
> (line 1105) from user space and used at line 1121 and line 1123
> respectively depends on the previous verification.
> 
> However, a double fetch problem happens when the user space fetched
> data is changed by a concurrently running user thread under race
> condition during the verification and the usage, and the data
> inconsistency will cause serious problems. In this case, the verified
> non-ascii argument from the first loop is likely to be changed to an
> ascii one (i.e. containing ‘ “ ’)  which will be used in the second
> loop. Then the argument is passed to audit_log_string() as none-ascii,
> then move forward in audit_log_n_string() of file audit.c, the string
> is enclosed with quote marks as well. Since the string contains
> another quote mark in the middle, problems will happen when processing
> the string based on quote mark, e.g. the string will be recognized as
> a shorter one based on the middle quote mark. I believe other
> consequences are also likely to be caused once the none control string
> is treated as a control string, or vice versa, which is very likely to
> happen under double fetch situations.

This function is only ever called by __audit_free(), which is only ever
called on failure of task creation or on exit of the task, so in neither
case can anything else change it.

I don't think what you describe will ever happen.

> I am looking forward to a reply to confirm this, thank you!
> 
> Kind regards
> 
> Pengfei

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list