aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorVesa-Matti J Kari <vmkari@cc.helsinki.fi>2008-07-22 17:06:13 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2008-08-01 12:05:35 -0400
commit1d6c9649e236caa2e93e3647256216e57172b011 (patch)
treef2ddd51635a3aac71d11e6d6ae4d4dc698c120f5 /kernel
parentee1d315663ee0b494898f813a266d6244b263b4f (diff)
kernel/audit.c control character detection is off-by-one
Hello, According to my understanding there is an off-by-one bug in the function: audit_string_contains_control() in: kernel/audit.c Patch is included. I do not know from how many places the function is called from, but for example, SELinux Access Vector Cache tries to log untrusted filenames via call path: avc_audit() audit_log_untrustedstring() audit_log_n_untrustedstring() audit_string_contains_control() If audit_string_contains_control() detects control characters, then the string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not detected. I guess this could have at least some minor security implications, since a user can create a filename with 0x7f in it, causing logged filename to possibly look different when someone reads it on the terminal. Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index e092f1c0ce3..6d903182c6b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1366,7 +1366,7 @@ int audit_string_contains_control(const char *string, size_t len)
1366{ 1366{
1367 const unsigned char *p; 1367 const unsigned char *p;
1368 for (p = string; p < (const unsigned char *)string + len && *p; p++) { 1368 for (p = string; p < (const unsigned char *)string + len && *p; p++) {
1369 if (*p == '"' || *p < 0x21 || *p > 0x7f) 1369 if (*p == '"' || *p < 0x21 || *p > 0x7e)
1370 return 1; 1370 return 1;
1371 } 1371 }
1372 return 0; 1372 return 0;