diff options
author | Vesa-Matti J Kari <vmkari@cc.helsinki.fi> | 2008-07-22 17:06:13 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-08-01 12:05:35 -0400 |
commit | 1d6c9649e236caa2e93e3647256216e57172b011 (patch) | |
tree | f2ddd51635a3aac71d11e6d6ae4d4dc698c120f5 | |
parent | ee1d315663ee0b494898f813a266d6244b263b4f (diff) |
kernel/audit.c control character detection is off-by-one
Hello,
According to my understanding there is an off-by-one bug in the
function:
audit_string_contains_control()
in:
kernel/audit.c
Patch is included.
I do not know from how many places the function is called from, but for
example, SELinux Access Vector Cache tries to log untrusted filenames via
call path:
avc_audit()
audit_log_untrustedstring()
audit_log_n_untrustedstring()
audit_string_contains_control()
If audit_string_contains_control() detects control characters, then the
string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not
detected.
I guess this could have at least some minor security implications, since a
user can create a filename with 0x7f in it, causing logged filename to
possibly look different when someone reads it on the terminal.
Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | kernel/audit.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index e092f1c0ce30..6d903182c6b7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -1366,7 +1366,7 @@ int audit_string_contains_control(const char *string, size_t len) | |||
1366 | { | 1366 | { |
1367 | const unsigned char *p; | 1367 | const unsigned char *p; |
1368 | for (p = string; p < (const unsigned char *)string + len && *p; p++) { | 1368 | for (p = string; p < (const unsigned char *)string + len && *p; p++) { |
1369 | if (*p == '"' || *p < 0x21 || *p > 0x7f) | 1369 | if (*p == '"' || *p < 0x21 || *p > 0x7e) |
1370 | return 1; | 1370 | return 1; |
1371 | } | 1371 | } |
1372 | return 0; | 1372 | return 0; |