aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2015-04-14 11:01:02 -0400
committerJames Morris <james.l.morris@oracle.com>2015-04-14 20:13:20 -0400
commit5deeb5cece3f9b30c8129786726b9d02c412c8ca (patch)
tree65ca929e44dc78b71be07d22091041f6dc80b936 /security
parent3add594bf60a901ba973cdcdafd47af2aac0ac1c (diff)
lsm: copy comm before calling audit_log to avoid race in string printing
When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the middle of the output string that would effectively truncate the rest of the report text after the comm= field in the audit log message, losing fields. Using get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm would incur potentially unacceptable overhead, considering that the value can be influenced by userspace and therefore untrusted anyways. Copy the value before passing it to audit_log_untrustedstring() ensures that a local copy is used to calculate the length *and* subsequently printed. Even if this value contains a mix of old and new values, it will only calculate and copy up to the first NULL, preventing the rest of the audit log message being truncated. Use a second local copy of comm to avoid a race between the first and second calls to audit_log_untrustedstring() with comm. Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
-rw-r--r--security/lsm_audit.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 69fdf3bc765b..b526ddc3add5 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -211,7 +211,7 @@ static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
211static void dump_common_audit_data(struct audit_buffer *ab, 211static void dump_common_audit_data(struct audit_buffer *ab,
212 struct common_audit_data *a) 212 struct common_audit_data *a)
213{ 213{
214 struct task_struct *tsk = current; 214 char comm[sizeof(current->comm)];
215 215
216 /* 216 /*
217 * To keep stack sizes in check force programers to notice if they 217 * To keep stack sizes in check force programers to notice if they
@@ -220,8 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
220 */ 220 */
221 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); 221 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
222 222
223 audit_log_format(ab, " pid=%d comm=", task_pid_nr(tsk)); 223 audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
224 audit_log_untrustedstring(ab, tsk->comm); 224 audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
225 225
226 switch (a->type) { 226 switch (a->type) {
227 case LSM_AUDIT_DATA_NONE: 227 case LSM_AUDIT_DATA_NONE:
@@ -276,16 +276,19 @@ static void dump_common_audit_data(struct audit_buffer *ab,
276 audit_log_format(ab, " ino=%lu", inode->i_ino); 276 audit_log_format(ab, " ino=%lu", inode->i_ino);
277 break; 277 break;
278 } 278 }
279 case LSM_AUDIT_DATA_TASK: 279 case LSM_AUDIT_DATA_TASK: {
280 tsk = a->u.tsk; 280 struct task_struct *tsk = a->u.tsk;
281 if (tsk) { 281 if (tsk) {
282 pid_t pid = task_pid_nr(tsk); 282 pid_t pid = task_pid_nr(tsk);
283 if (pid) { 283 if (pid) {
284 char comm[sizeof(tsk->comm)];
284 audit_log_format(ab, " pid=%d comm=", pid); 285 audit_log_format(ab, " pid=%d comm=", pid);
285 audit_log_untrustedstring(ab, tsk->comm); 286 audit_log_untrustedstring(ab,
287 memcpy(comm, tsk->comm, sizeof(comm)));
286 } 288 }
287 } 289 }
288 break; 290 break;
291 }
289 case LSM_AUDIT_DATA_NET: 292 case LSM_AUDIT_DATA_NET:
290 if (a->u.net->sk) { 293 if (a->u.net->sk) {
291 struct sock *sk = a->u.net->sk; 294 struct sock *sk = a->u.net->sk;