diff options
| author | Kees Cook <keescook@chromium.org> | 2013-01-11 17:32:07 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-01-11 17:54:55 -0500 |
| commit | 0644ec0cc8a33fb654e348897ad7684e22a4b5d8 (patch) | |
| tree | 95a0532a89fdd148593c4bd52faa055d308e3380 /kernel | |
| parent | 7b9205bd775afc4439ed86d617f9042ee9e76a71 (diff) | |
audit: catch possible NULL audit buffers
It's possible for audit_log_start() to return NULL. Handle it in the
various callers.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Julien Tinnes <jln@google.com>
Cc: Will Drewry <wad@google.com>
Cc: Steve Grubb <sgrubb@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 4 | ||||
| -rw-r--r-- | kernel/audit_tree.c | 26 | ||||
| -rw-r--r-- | kernel/audit_watch.c | 2 | ||||
| -rw-r--r-- | kernel/auditsc.c | 6 |
4 files changed, 27 insertions, 11 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 40414e9143db..a219998aecc1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -272,6 +272,8 @@ static int audit_log_config_change(char *function_name, int new, int old, | |||
| 272 | int rc = 0; | 272 | int rc = 0; |
| 273 | 273 | ||
| 274 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 274 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
| 275 | if (unlikely(!ab)) | ||
| 276 | return rc; | ||
| 275 | audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, | 277 | audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, |
| 276 | old, from_kuid(&init_user_ns, loginuid), sessionid); | 278 | old, from_kuid(&init_user_ns, loginuid), sessionid); |
| 277 | if (sid) { | 279 | if (sid) { |
| @@ -619,6 +621,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, | |||
| 619 | } | 621 | } |
| 620 | 622 | ||
| 621 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); | 623 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); |
| 624 | if (unlikely(!*ab)) | ||
| 625 | return rc; | ||
| 622 | audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", | 626 | audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", |
| 623 | task_tgid_vnr(current), | 627 | task_tgid_vnr(current), |
| 624 | from_kuid(&init_user_ns, current_uid()), | 628 | from_kuid(&init_user_ns, current_uid()), |
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index e81175ef25f8..642a89c4f3d6 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c | |||
| @@ -449,11 +449,26 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) | |||
| 449 | return 0; | 449 | return 0; |
| 450 | } | 450 | } |
| 451 | 451 | ||
| 452 | static void audit_log_remove_rule(struct audit_krule *rule) | ||
| 453 | { | ||
| 454 | struct audit_buffer *ab; | ||
| 455 | |||
| 456 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | ||
| 457 | if (unlikely(!ab)) | ||
| 458 | return; | ||
| 459 | audit_log_format(ab, "op="); | ||
| 460 | audit_log_string(ab, "remove rule"); | ||
| 461 | audit_log_format(ab, " dir="); | ||
| 462 | audit_log_untrustedstring(ab, rule->tree->pathname); | ||
| 463 | audit_log_key(ab, rule->filterkey); | ||
| 464 | audit_log_format(ab, " list=%d res=1", rule->listnr); | ||
| 465 | audit_log_end(ab); | ||
| 466 | } | ||
| 467 | |||
| 452 | static void kill_rules(struct audit_tree *tree) | 468 | static void kill_rules(struct audit_tree *tree) |
| 453 | { | 469 | { |
| 454 | struct audit_krule *rule, *next; | 470 | struct audit_krule *rule, *next; |
| 455 | struct audit_entry *entry; | 471 | struct audit_entry *entry; |
| 456 | struct audit_buffer *ab; | ||
| 457 | 472 | ||
| 458 | list_for_each_entry_safe(rule, next, &tree->rules, rlist) { | 473 | list_for_each_entry_safe(rule, next, &tree->rules, rlist) { |
| 459 | entry = container_of(rule, struct audit_entry, rule); | 474 | entry = container_of(rule, struct audit_entry, rule); |
| @@ -461,14 +476,7 @@ static void kill_rules(struct audit_tree *tree) | |||
| 461 | list_del_init(&rule->rlist); | 476 | list_del_init(&rule->rlist); |
| 462 | if (rule->tree) { | 477 | if (rule->tree) { |
| 463 | /* not a half-baked one */ | 478 | /* not a half-baked one */ |
| 464 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 479 | audit_log_remove_rule(rule); |
| 465 | audit_log_format(ab, "op="); | ||
| 466 | audit_log_string(ab, "remove rule"); | ||
| 467 | audit_log_format(ab, " dir="); | ||
| 468 | audit_log_untrustedstring(ab, rule->tree->pathname); | ||
| 469 | audit_log_key(ab, rule->filterkey); | ||
| 470 | audit_log_format(ab, " list=%d res=1", rule->listnr); | ||
| 471 | audit_log_end(ab); | ||
| 472 | rule->tree = NULL; | 480 | rule->tree = NULL; |
| 473 | list_del_rcu(&entry->list); | 481 | list_del_rcu(&entry->list); |
| 474 | list_del(&entry->rule.list); | 482 | list_del(&entry->rule.list); |
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 4a599f699adc..22831c4d369c 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c | |||
| @@ -240,6 +240,8 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc | |||
| 240 | if (audit_enabled) { | 240 | if (audit_enabled) { |
| 241 | struct audit_buffer *ab; | 241 | struct audit_buffer *ab; |
| 242 | ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); | 242 | ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); |
| 243 | if (unlikely(!ab)) | ||
| 244 | return; | ||
| 243 | audit_log_format(ab, "auid=%u ses=%u op=", | 245 | audit_log_format(ab, "auid=%u ses=%u op=", |
| 244 | from_kuid(&init_user_ns, audit_get_loginuid(current)), | 246 | from_kuid(&init_user_ns, audit_get_loginuid(current)), |
| 245 | audit_get_sessionid(current)); | 247 | audit_get_sessionid(current)); |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3e46d1dec613..a371f857a0a9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -1464,14 +1464,14 @@ static void show_special(struct audit_context *context, int *call_panic) | |||
| 1464 | audit_log_end(ab); | 1464 | audit_log_end(ab); |
| 1465 | ab = audit_log_start(context, GFP_KERNEL, | 1465 | ab = audit_log_start(context, GFP_KERNEL, |
| 1466 | AUDIT_IPC_SET_PERM); | 1466 | AUDIT_IPC_SET_PERM); |
| 1467 | if (unlikely(!ab)) | ||
| 1468 | return; | ||
| 1467 | audit_log_format(ab, | 1469 | audit_log_format(ab, |
| 1468 | "qbytes=%lx ouid=%u ogid=%u mode=%#ho", | 1470 | "qbytes=%lx ouid=%u ogid=%u mode=%#ho", |
| 1469 | context->ipc.qbytes, | 1471 | context->ipc.qbytes, |
| 1470 | context->ipc.perm_uid, | 1472 | context->ipc.perm_uid, |
| 1471 | context->ipc.perm_gid, | 1473 | context->ipc.perm_gid, |
| 1472 | context->ipc.perm_mode); | 1474 | context->ipc.perm_mode); |
| 1473 | if (!ab) | ||
| 1474 | return; | ||
| 1475 | } | 1475 | } |
| 1476 | break; } | 1476 | break; } |
| 1477 | case AUDIT_MQ_OPEN: { | 1477 | case AUDIT_MQ_OPEN: { |
| @@ -2720,6 +2720,8 @@ void audit_core_dumps(long signr) | |||
| 2720 | return; | 2720 | return; |
| 2721 | 2721 | ||
| 2722 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | 2722 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); |
| 2723 | if (unlikely(!ab)) | ||
| 2724 | return; | ||
| 2723 | audit_log_abend(ab, "memory violation", signr); | 2725 | audit_log_abend(ab, "memory violation", signr); |
| 2724 | audit_log_end(ab); | 2726 | audit_log_end(ab); |
| 2725 | } | 2727 | } |