Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit

Pull audit fix from Paul Moore: "One audit patch to resolve a panic/oops when recording filenames in the audit log, see the mail archive link below. The fix isn't as nice as I would like, as it involves an allocate/copy of the filename, but it solves the problem and the overhead should only affect users who have configured audit rules involving file names. We'll revisit this issue with future kernels in an attempt to make this suck less, but in the meantime I think this fix should go into the next release of v3.19-rcX. [ https://marc.info/?t=141986927600001&r=1&w=2 ]" * 'upstream' of git://git.infradead.org/users/pcmoore/audit: audit: create private file name copies when auditing inodes
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-12-31 17:52:18 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-12-31 17:52:18 -0500
commit: 5e0f872c7d7e371fbdf09e864eddd24bddfda8fe (patch)
tree: 4c48140fd3a7131622c0ec454e82870f2cba88c2 /kernel/auditsc.c
parent: 7f4054836d811c650c51f9c93088f8ebd61b0020 (diff)
parent: fcf22d8267ad2601fe9b6c549d1be96401c23e0b (diff)
1 files changed, 40 insertions, 9 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37c69ab561da..072566dd0caf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -72,6 +72,8 @@
 #include <linux/fs_struct.h>
 #include <linux/compat.h>
 #include <linux/ctype.h>
+#include <linux/string.h>
+#include <uapi/linux/limits.h>
 #include "audit.h"
@@ -1861,8 +1863,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
        }
        list_for_each_entry_reverse(n, &context->names_list, list) {
-                /* does the name pointer match? */
+                if (!n->name || strcmp(n->name->name, name->name))
-                if (!n->name || n->name->name != name->name)
                        continue;
                /* match the correct record type */
@@ -1881,14 +1882,44 @@ out_alloc:
        n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
        if (!n)
                return;
-        if (name)
+        /* unfortunately, while we may have a path name to record with the
-                /* since name is not NULL we know there is already a matching
+         * inode, we can't always rely on the string lasting until the end of
-                 * name record, see audit_getname(), so there must be a type
+         * the syscall so we need to create our own copy, it may fail due to
-                 * mismatch; reuse the string path since the original name
+         * memory allocation issues, but we do our best */
-                 * record will keep the string valid until we free it in
+        if (name) {
-                 * audit_free_names() */
+                /* we can't use getname_kernel() due to size limits */
-                n->name = name;
+                size_t len = strlen(name->name) + 1;
+                struct filename *new = __getname();
+                if (unlikely(!new))
+                        goto out;
+                if (len <= (PATH_MAX - sizeof(*new))) {
+                        new->name = (char *)(new) + sizeof(*new);
+                        new->separate = false;
+                } else if (len <= PATH_MAX) {
+                        /* this looks odd, but is due to final_putname() */
+                        struct filename *new2;
+                        new2 = kmalloc(sizeof(*new2), GFP_KERNEL);
+                        if (unlikely(!new2)) {
+                                __putname(new);
+                                goto out;
+                        }
+                        new2->name = (char *)new;
+                        new2->separate = true;
+                        new = new2;
+                } else {
+                        /* we should never get here, but let's be safe */
+                        __putname(new);
+                        goto out;
+                }
+                strlcpy((char *)new->name, name->name, len);
+                new->uptr = NULL;
+                new->aname = n;
+                n->name = new;
+                n->name_put = true;
+        }
 out:
        if (parent) {
                n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-12-31 17:52:18 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-12-31 17:52:18 -0500
commit	5e0f872c7d7e371fbdf09e864eddd24bddfda8fe (patch)
tree	4c48140fd3a7131622c0ec454e82870f2cba88c2 /kernel/auditsc.c
parent	7f4054836d811c650c51f9c93088f8ebd61b0020 (diff)
parent	fcf22d8267ad2601fe9b6c549d1be96401c23e0b (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 37c69ab561da..072566dd0caf 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -72,6 +72,8 @@
72	#include <linux/fs_struct.h>	72	#include <linux/fs_struct.h>
73	#include <linux/compat.h>	73	#include <linux/compat.h>
74	#include <linux/ctype.h>	74	#include <linux/ctype.h>
		75	#include <linux/string.h>
		76	#include <uapi/linux/limits.h>
75		77
76	#include "audit.h"	78	#include "audit.h"
77		79
@@ -1861,8 +1863,7 @@ void __audit_inode(struct filename name, const struct dentry dentry,
1861	}	1863	}
1862		1864
1863	list_for_each_entry_reverse(n, &context->names_list, list) {	1865	list_for_each_entry_reverse(n, &context->names_list, list) {
1864	/* does the name pointer match? */	1866	if (!n->name \|\| strcmp(n->name->name, name->name))
1865	if (!n->name \|\| n->name->name != name->name)
1866	continue;	1867	continue;
1867		1868
1868	/* match the correct record type */	1869	/* match the correct record type */
@@ -1881,14 +1882,44 @@ out_alloc:
1881	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);	1882	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1882	if (!n)	1883	if (!n)
1883	return;	1884	return;
1884	if (name)	1885	/* unfortunately, while we may have a path name to record with the
1885	/* since name is not NULL we know there is already a matching	1886	* inode, we can't always rely on the string lasting until the end of
1886	* name record, see audit_getname(), so there must be a type	1887	* the syscall so we need to create our own copy, it may fail due to
1887	* mismatch; reuse the string path since the original name	1888	* memory allocation issues, but we do our best */
1888	* record will keep the string valid until we free it in	1889	if (name) {
1889	* audit_free_names() */	1890	/* we can't use getname_kernel() due to size limits */
1890	n->name = name;	1891	size_t len = strlen(name->name) + 1;
		1892	struct filename *new = __getname();
		1893
		1894	if (unlikely(!new))
		1895	goto out;
		1896
		1897	if (len <= (PATH_MAX - sizeof(*new))) {
		1898	new->name = (char )(new) + sizeof(new);
		1899	new->separate = false;
		1900	} else if (len <= PATH_MAX) {
		1901	/* this looks odd, but is due to final_putname() */
		1902	struct filename *new2;
1891		1903
		1904	new2 = kmalloc(sizeof(*new2), GFP_KERNEL);
		1905	if (unlikely(!new2)) {
		1906	__putname(new);
		1907	goto out;
		1908	}
		1909	new2->name = (char *)new;
		1910	new2->separate = true;
		1911	new = new2;
		1912	} else {
		1913	/* we should never get here, but let's be safe */
		1914	__putname(new);
		1915	goto out;
		1916	}
		1917	strlcpy((char *)new->name, name->name, len);
		1918	new->uptr = NULL;
		1919	new->aname = n;
		1920	n->name = new;
		1921	n->name_put = true;
		1922	}
1892	out:	1923	out:
1893	if (parent) {	1924	if (parent) {
1894	n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;	1925	n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;