diff options
author | Peter Zijlstra <a.p.zijlstra@chello.nl> | 2007-07-27 18:55:18 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-28 22:42:22 -0400 |
commit | 040b3a2df2dd26c3e401823f3b0ce3fe99e966c5 (patch) | |
tree | dbf88e0023db86669e775ed2ab4c5fb55186ffe0 /kernel | |
parent | 0af3678f7c5872836d1cc8d7c659abd62c3c5ae7 (diff) |
audit: fix two bugs in the new execve audit code
copy_from_user() returns the number of bytes not copied, hence 0 is the
expected output.
axi->mm might not be valid anymore when not equal to current->mm, do not
dereference before checking that - thanks to Al for spotting that.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Tested-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/auditsc.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bde1124d5908..a777d3761416 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -824,12 +824,14 @@ static void audit_log_execve_info(struct audit_buffer *ab, | |||
824 | { | 824 | { |
825 | int i; | 825 | int i; |
826 | long len, ret; | 826 | long len, ret; |
827 | const char __user *p = (const char __user *)axi->mm->arg_start; | 827 | const char __user *p; |
828 | char *buf; | 828 | char *buf; |
829 | 829 | ||
830 | if (axi->mm != current->mm) | 830 | if (axi->mm != current->mm) |
831 | return; /* execve failed, no additional info */ | 831 | return; /* execve failed, no additional info */ |
832 | 832 | ||
833 | p = (const char __user *)axi->mm->arg_start; | ||
834 | |||
833 | for (i = 0; i < axi->argc; i++, p += len) { | 835 | for (i = 0; i < axi->argc; i++, p += len) { |
834 | len = strnlen_user(p, MAX_ARG_STRLEN); | 836 | len = strnlen_user(p, MAX_ARG_STRLEN); |
835 | /* | 837 | /* |
@@ -855,7 +857,7 @@ static void audit_log_execve_info(struct audit_buffer *ab, | |||
855 | * copied them here, and the mm hasn't been exposed to user- | 857 | * copied them here, and the mm hasn't been exposed to user- |
856 | * space yet. | 858 | * space yet. |
857 | */ | 859 | */ |
858 | if (!ret) { | 860 | if (ret) { |
859 | WARN_ON(1); | 861 | WARN_ON(1); |
860 | send_sig(SIGKILL, current, 0); | 862 | send_sig(SIGKILL, current, 0); |
861 | } | 863 | } |