4 files changed, 32 insertions, 28 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index ce6d8ea3131e..9442c3533ba9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -766,6 +766,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                audit_log_format(ab, " msg=");
                                size = nlmsg_len(nlh);
+                                if (size > 0 &&
+                                    ((unsigned char *)data)[size - 1] == '\0')
+                                        size--;
                                audit_log_n_untrustedstring(ab, data, size);
                        }
                        audit_set_pid(ab, pid);
@@ -1382,7 +1385,7 @@ void audit_log_n_string(struct audit_buffer *ab, const char *string,
 int audit_string_contains_control(const char *string, size_t len)
 {
        const unsigned char *p;
-        for (p = string; p < (const unsigned char *)string + len && *p; p++) {
+        for (p = string; p < (const unsigned char *)string + len; p++) {
                if (*p == '"' || *p < 0x21 || *p > 0x7e)
                        return 1;
        }
@@ -1437,13 +1440,13 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
        /* We will allow 11 spaces for ' (deleted)' to be appended */
        pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
        if (!pathname) {
-                audit_log_format(ab, "<no memory>");
+                audit_log_string(ab, "<no_memory>");
                return;
        }
        p = d_path(path, pathname, PATH_MAX+11);
        if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
                /* FIXME: can we save some information here? */
-                audit_log_format(ab, "<too long>");
+                audit_log_string(ab, "<too_long>");
        } else
                audit_log_untrustedstring(ab, p);
        kfree(pathname);
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 8ad9545b8db9..917ab9525568 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
        mutex_lock(&inode->inotify_mutex);
        if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
                mutex_unlock(&inode->inotify_mutex);
+                put_inotify_watch(&old->watch);
                free_chunk(chunk);
                return -ENOSPC;
        }
@@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
                chunk->dead = 1;
                inotify_evict_watch(&chunk->watch);
                mutex_unlock(&inode->inotify_mutex);
+                put_inotify_watch(&old->watch);
                put_inotify_watch(&chunk->watch);
                return 0;
        }
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index fbf24d121d97..a6fe71fd5d1b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -135,18 +135,18 @@ static void audit_remove_watch(struct audit_watch *watch)
 static inline void audit_free_rule(struct audit_entry *e)
 {
        int i;
+        struct audit_krule *erule = &e->rule;
        /* some rules don't have associated watches */
-        if (e->rule.watch)
+        if (erule->watch)
-                audit_put_watch(e->rule.watch);
+                audit_put_watch(erule->watch);
-        if (e->rule.fields)
+        if (erule->fields)
-                for (i = 0; i < e->rule.field_count; i++) {
+                for (i = 0; i < erule->field_count; i++) {
-                        struct audit_field *f = &e->rule.fields[i];
+                        struct audit_field *f = &erule->fields[i];
                        kfree(f->lsm_str);
                        security_audit_rule_free(f->lsm_rule);
                }
-        kfree(e->rule.fields);
+        kfree(erule->fields);
-        kfree(e->rule.filterkey);
+        kfree(erule->filterkey);
        kfree(e);
 }
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2bfc64786765..7d6ac7c1f414 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -329,6 +329,14 @@ static int audit_match_filetype(struct audit_context *ctx, int which)
 */
 #ifdef CONFIG_AUDIT_TREE
+static void audit_set_auditable(struct audit_context *ctx)
+{
+        if (!ctx->prio) {
+                ctx->prio = 1;
+                ctx->current_state = AUDIT_RECORD_CONTEXT;
+        }
+}
 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 {
        struct audit_tree_refs *p = ctx->trees;
@@ -742,17 +750,9 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
        rcu_read_unlock();
 }
-static void audit_set_auditable(struct audit_context *ctx)
-{
-        if (!ctx->prio) {
-                ctx->prio = 1;
-                ctx->current_state = AUDIT_RECORD_CONTEXT;
-        }
-}
 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
                                                      int return_valid,
-                                                      int return_code)
+                                                      long return_code)
 {
        struct audit_context *context = tsk->audit_context;
@@ -1024,7 +1024,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
 {
        char arg_num_len_buf[12];
        const char __user *tmp_p = p;
-        /* how many digits are in arg_num? 3 is the length of a=\n */
+        /* how many digits are in arg_num? 3 is the length of " a=" */
        size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
        size_t len, len_left, to_send;
        size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
@@ -1110,7 +1110,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
                 * so we can be sure nothing was lost.
                 */
                if ((i == 0) && (too_long))
-                        audit_log_format(*ab, "a%d_len=%zu ", arg_num,
+                        audit_log_format(*ab, " a%d_len=%zu", arg_num,
                                         has_cntl ? 2*len : len);
                /*
@@ -1130,7 +1130,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
                buf[to_send] = '\0';
                /* actually log it */
-                audit_log_format(*ab, "a%d", arg_num);
+                audit_log_format(*ab, " a%d", arg_num);
                if (too_long)
                        audit_log_format(*ab, "[%d]", i);
                audit_log_format(*ab, "=");
@@ -1138,7 +1138,6 @@ static int audit_log_single_execve_arg(struct audit_context *context,
                        audit_log_n_hex(*ab, buf, to_send);
                else
                        audit_log_format(*ab, "\"%s\"", buf);
-                audit_log_format(*ab, "\n");
                p += to_send;
                len_left -= to_send;
@@ -1166,7 +1165,7 @@ static void audit_log_execve_info(struct audit_context *context,
        p = (const char __user *)axi->mm->arg_start;
-        audit_log_format(*ab, "argc=%d ", axi->argc);
+        audit_log_format(*ab, "argc=%d", axi->argc);
        /*
         * we need some kernel buffer to hold the userspace args.  Just
@@ -1479,7 +1478,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                        case 0:
                                /* name was specified as a relative path and the
                                 * directory component is the cwd */
-                                audit_log_d_path(ab, " name=", &context->pwd);
+                                audit_log_d_path(ab, "name=", &context->pwd);
                                break;
                        default:
                                /* log the name's directory component */
@@ -2150,7 +2149,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 * __audit_mq_open - record audit data for a POSIX MQ open
 * @oflag: open flag
 * @mode: mode bits
- * @u_attr: queue attributes
+ * @attr: queue attributes
 *
 */
 void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
@@ -2197,7 +2196,7 @@ void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
 /**
 * __audit_mq_notify - record audit data for a POSIX MQ notify
 * @mqdes: MQ descriptor
- * @u_notification: Notification event
+ * @notification: Notification event
 *
 */

diff --git a/kernel/audit.c b/kernel/audit.c index ce6d8ea3131e..9442c3533ba9 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -766,6 +766,9 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
766		766
767	audit_log_format(ab, " msg=");	767	audit_log_format(ab, " msg=");
768	size = nlmsg_len(nlh);	768	size = nlmsg_len(nlh);
		769	if (size > 0 &&
		770	((unsigned char *)data)[size - 1] == '\0')
		771	size--;
769	audit_log_n_untrustedstring(ab, data, size);	772	audit_log_n_untrustedstring(ab, data, size);
770	}	773	}
771	audit_set_pid(ab, pid);	774	audit_set_pid(ab, pid);
@@ -1382,7 +1385,7 @@ void audit_log_n_string(struct audit_buffer ab, const char string,
1382	int audit_string_contains_control(const char *string, size_t len)	1385	int audit_string_contains_control(const char *string, size_t len)
1383	{	1386	{
1384	const unsigned char *p;	1387	const unsigned char *p;
1385	for (p = string; p < (const unsigned char )string + len && p; p++) {	1388	for (p = string; p < (const unsigned char *)string + len; p++) {
1386	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7e)	1389	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7e)
1387	return 1;	1390	return 1;
1388	}	1391	}
@@ -1437,13 +1440,13 @@ void audit_log_d_path(struct audit_buffer ab, const char prefix,
1437	/* We will allow 11 spaces for ' (deleted)' to be appended */	1440	/* We will allow 11 spaces for ' (deleted)' to be appended */
1438	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);	1441	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
1439	if (!pathname) {	1442	if (!pathname) {
1440	audit_log_format(ab, "<no memory>");	1443	audit_log_string(ab, "<no_memory>");
1441	return;	1444	return;
1442	}	1445	}
1443	p = d_path(path, pathname, PATH_MAX+11);	1446	p = d_path(path, pathname, PATH_MAX+11);
1444	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */	1447	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
1445	/* FIXME: can we save some information here? */	1448	/* FIXME: can we save some information here? */
1446	audit_log_format(ab, "<too long>");	1449	audit_log_string(ab, "<too_long>");
1447	} else	1450	} else
1448	audit_log_untrustedstring(ab, p);	1451	audit_log_untrustedstring(ab, p);
1449	kfree(pathname);	1452	kfree(pathname);


diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 8ad9545b8db9..917ab9525568 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c
@@ -385,6 +385,7 @@ static int tag_chunk(struct inode inode, struct audit_tree tree)
385	mutex_lock(&inode->inotify_mutex);	385	mutex_lock(&inode->inotify_mutex);
386	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {	386	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
387	mutex_unlock(&inode->inotify_mutex);	387	mutex_unlock(&inode->inotify_mutex);
		388	put_inotify_watch(&old->watch);
388	free_chunk(chunk);	389	free_chunk(chunk);
389	return -ENOSPC;	390	return -ENOSPC;
390	}	391	}
@@ -394,6 +395,7 @@ static int tag_chunk(struct inode inode, struct audit_tree tree)
394	chunk->dead = 1;	395	chunk->dead = 1;
395	inotify_evict_watch(&chunk->watch);	396	inotify_evict_watch(&chunk->watch);
396	mutex_unlock(&inode->inotify_mutex);	397	mutex_unlock(&inode->inotify_mutex);
		398	put_inotify_watch(&old->watch);
397	put_inotify_watch(&chunk->watch);	399	put_inotify_watch(&chunk->watch);
398	return 0;	400	return 0;
399	}	401	}


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index fbf24d121d97..a6fe71fd5d1b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -135,18 +135,18 @@ static void audit_remove_watch(struct audit_watch *watch)
135	static inline void audit_free_rule(struct audit_entry *e)	135	static inline void audit_free_rule(struct audit_entry *e)
136	{	136	{
137	int i;	137	int i;
138		138	struct audit_krule *erule = &e->rule;
139	/* some rules don't have associated watches */	139	/* some rules don't have associated watches */
140	if (e->rule.watch)	140	if (erule->watch)
141	audit_put_watch(e->rule.watch);	141	audit_put_watch(erule->watch);
142	if (e->rule.fields)	142	if (erule->fields)
143	for (i = 0; i < e->rule.field_count; i++) {	143	for (i = 0; i < erule->field_count; i++) {
144	struct audit_field *f = &e->rule.fields[i];	144	struct audit_field *f = &erule->fields[i];
145	kfree(f->lsm_str);	145	kfree(f->lsm_str);
146	security_audit_rule_free(f->lsm_rule);	146	security_audit_rule_free(f->lsm_rule);
147	}	147	}
148	kfree(e->rule.fields);	148	kfree(erule->fields);
149	kfree(e->rule.filterkey);	149	kfree(erule->filterkey);
150	kfree(e);	150	kfree(e);
151	}	151	}
152		152


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2bfc64786765..7d6ac7c1f414 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -329,6 +329,14 @@ static int audit_match_filetype(struct audit_context *ctx, int which)
329	*/	329	*/
330		330
331	#ifdef CONFIG_AUDIT_TREE	331	#ifdef CONFIG_AUDIT_TREE
		332	static void audit_set_auditable(struct audit_context *ctx)
		333	{
		334	if (!ctx->prio) {
		335	ctx->prio = 1;
		336	ctx->current_state = AUDIT_RECORD_CONTEXT;
		337	}
		338	}
		339
332	static int put_tree_ref(struct audit_context ctx, struct audit_chunk chunk)	340	static int put_tree_ref(struct audit_context ctx, struct audit_chunk chunk)
333	{	341	{
334	struct audit_tree_refs *p = ctx->trees;	342	struct audit_tree_refs *p = ctx->trees;
@@ -742,17 +750,9 @@ void audit_filter_inodes(struct task_struct tsk, struct audit_context ctx)
742	rcu_read_unlock();	750	rcu_read_unlock();
743	}	751	}
744		752
745	static void audit_set_auditable(struct audit_context *ctx)
746	{
747	if (!ctx->prio) {
748	ctx->prio = 1;
749	ctx->current_state = AUDIT_RECORD_CONTEXT;
750	}
751	}
752
753	static inline struct audit_context audit_get_context(struct task_struct tsk,	753	static inline struct audit_context audit_get_context(struct task_struct tsk,
754	int return_valid,	754	int return_valid,
755	int return_code)	755	long return_code)
756	{	756	{
757	struct audit_context *context = tsk->audit_context;	757	struct audit_context *context = tsk->audit_context;
758		758
@@ -1024,7 +1024,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
1024	{	1024	{
1025	char arg_num_len_buf[12];	1025	char arg_num_len_buf[12];
1026	const char __user *tmp_p = p;	1026	const char __user *tmp_p = p;
1027	/* how many digits are in arg_num? 3 is the length of a=\n */	1027	/* how many digits are in arg_num? 3 is the length of " a=" */
1028	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;	1028	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
1029	size_t len, len_left, to_send;	1029	size_t len, len_left, to_send;
1030	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;	1030	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
@@ -1110,7 +1110,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
1110	* so we can be sure nothing was lost.	1110	* so we can be sure nothing was lost.
1111	*/	1111	*/
1112	if ((i == 0) && (too_long))	1112	if ((i == 0) && (too_long))
1113	audit_log_format(*ab, "a%d_len=%zu ", arg_num,	1113	audit_log_format(*ab, " a%d_len=%zu", arg_num,
1114	has_cntl ? 2*len : len);	1114	has_cntl ? 2*len : len);
1115		1115
1116	/*	1116	/*
@@ -1130,7 +1130,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
1130	buf[to_send] = '\0';	1130	buf[to_send] = '\0';
1131		1131
1132	/* actually log it */	1132	/* actually log it */
1133	audit_log_format(*ab, "a%d", arg_num);	1133	audit_log_format(*ab, " a%d", arg_num);
1134	if (too_long)	1134	if (too_long)
1135	audit_log_format(*ab, "[%d]", i);	1135	audit_log_format(*ab, "[%d]", i);
1136	audit_log_format(*ab, "=");	1136	audit_log_format(*ab, "=");
@@ -1138,7 +1138,6 @@ static int audit_log_single_execve_arg(struct audit_context *context,
1138	audit_log_n_hex(*ab, buf, to_send);	1138	audit_log_n_hex(*ab, buf, to_send);
1139	else	1139	else
1140	audit_log_format(*ab, "\"%s\"", buf);	1140	audit_log_format(*ab, "\"%s\"", buf);
1141	audit_log_format(*ab, "\n");
1142		1141
1143	p += to_send;	1142	p += to_send;
1144	len_left -= to_send;	1143	len_left -= to_send;
@@ -1166,7 +1165,7 @@ static void audit_log_execve_info(struct audit_context *context,
1166		1165
1167	p = (const char __user *)axi->mm->arg_start;	1166	p = (const char __user *)axi->mm->arg_start;
1168		1167
1169	audit_log_format(*ab, "argc=%d ", axi->argc);	1168	audit_log_format(*ab, "argc=%d", axi->argc);
1170		1169
1171	/*	1170	/*
1172	* we need some kernel buffer to hold the userspace args. Just	1171	* we need some kernel buffer to hold the userspace args. Just
@@ -1479,7 +1478,7 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts
1479	case 0:	1478	case 0:
1480	/* name was specified as a relative path and the	1479	/* name was specified as a relative path and the
1481	* directory component is the cwd */	1480	* directory component is the cwd */
1482	audit_log_d_path(ab, " name=", &context->pwd);	1481	audit_log_d_path(ab, "name=", &context->pwd);
1483	break;	1482	break;
1484	default:	1483	default:
1485	/* log the name's directory component */	1484	/* log the name's directory component */
@@ -2150,7 +2149,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2150	* __audit_mq_open - record audit data for a POSIX MQ open	2149	* __audit_mq_open - record audit data for a POSIX MQ open
2151	* @oflag: open flag	2150	* @oflag: open flag
2152	* @mode: mode bits	2151	* @mode: mode bits
2153	* @u_attr: queue attributes	2152	* @attr: queue attributes
2154	*	2153	*
2155	*/	2154	*/
2156	void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)	2155	void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
@@ -2197,7 +2196,7 @@ void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2197	/**	2196	/**
2198	* __audit_mq_notify - record audit data for a POSIX MQ notify	2197	* __audit_mq_notify - record audit data for a POSIX MQ notify
2199	* @mqdes: MQ descriptor	2198	* @mqdes: MQ descriptor
2200	* @u_notification: Notification event	2199	* @notification: Notification event
2201	*	2200	*
2202	*/	2201	*/
2203		2202