1 files changed, 165 insertions, 40 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index aaaca8a13bbe..6e03322e155b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -78,6 +78,9 @@ extern struct list_head audit_filter_list[];
 /* Indicates that audit should log the full pathname. */
 #define AUDIT_NAME_FULL -1
+/* no execve audit message should be longer than this (userspace limits) */
+#define MAX_EXECVE_AUDIT_LEN 7500
 /* number of audit rules */
 int audit_n_rules;
@@ -965,55 +968,187 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
        return rc;
 }
-static void audit_log_execve_info(struct audit_buffer *ab,
+/*
-                struct audit_aux_data_execve *axi)
+ * to_send and len_sent accounting are very loose estimates.  We aren't
+ * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
+ * within about 500 bytes (next page boundry)
+ *
+ * why snprintf?  an int is up to 12 digits long.  if we just assumed when
+ * logging that a[%d]= was going to be 16 characters long we would be wasting
+ * space in every audit message.  In one 7500 byte message we can log up to
+ * about 1000 min size arguments.  That comes down to about 50% waste of space
+ * if we didn't do the snprintf to find out how long arg_num_len was.
+ */
+static int audit_log_single_execve_arg(struct audit_context *context,
+                                        struct audit_buffer **ab,
+                                        int arg_num,
+                                        size_t *len_sent,
+                                        const char __user *p,
+                                        char *buf)
 {
-        int i;
+        char arg_num_len_buf[12];
-        long len, ret;
+        const char __user *tmp_p = p;
-        const char __user *p;
+        /* how many digits are in arg_num? 3 is the length of a=\n */
-        char *buf;
+        size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
+        size_t len, len_left, to_send;
+        size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
+        unsigned int i, has_cntl = 0, too_long = 0;
+        int ret;
+        /* strnlen_user includes the null we don't want to send */
+        len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
-        if (axi->mm != current->mm)
+        /*
-                return; /* execve failed, no additional info */
+         * We just created this mm, if we can't find the strings
+         * we just copied into it something is _very_ wrong. Similar
-        p = (const char __user *)axi->mm->arg_start;
+         * for strings that are too long, we should not have created
+         * any.
+         */
+        if (unlikely((len  = -1) || len > MAX_ARG_STRLEN - 1)) {
+                WARN_ON(1);
+                send_sig(SIGKILL, current, 0);
+        }
-        for (i = 0; i < axi->argc; i++, p += len) {
+        /* walk the whole argument looking for non-ascii chars */
-                len = strnlen_user(p, MAX_ARG_STRLEN);
+        do {
+                if (len_left > MAX_EXECVE_AUDIT_LEN)
+                        to_send = MAX_EXECVE_AUDIT_LEN;
+                else
+                        to_send = len_left;
+                ret = copy_from_user(buf, tmp_p, to_send);
                /*
-                 * We just created this mm, if we can't find the strings
+                 * There is no reason for this copy to be short. We just
-                 * we just copied into it something is _very_ wrong. Similar
+                 * copied them here, and the mm hasn't been exposed to user-
-                 * for strings that are too long, we should not have created
+                 * space yet.
-                 * any.
                 */
-                if (!len || len > MAX_ARG_STRLEN) {
+                if (ret) {
                        WARN_ON(1);
                        send_sig(SIGKILL, current, 0);
                }
+                buf[to_send] = '\0';
-                buf = kmalloc(len, GFP_KERNEL);
+                has_cntl = audit_string_contains_control(buf, to_send);
-                if (!buf) {
+                if (has_cntl) {
-                        audit_panic("out of memory for argv string\n");
+                        /*
+                         * hex messages get logged as 2 bytes, so we can only
+                         * send half as much in each message
+                         */
+                        max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
                        break;
                }
+                len_left -= to_send;
+                tmp_p += to_send;
+        } while (len_left > 0);
+        len_left = len;
+        if (len > max_execve_audit_len)
+                too_long = 1;
+        /* rewalk the argument actually logging the message */
+        for (i = 0; len_left > 0; i++) {
+                int room_left;
+                if (len_left > max_execve_audit_len)
+                        to_send = max_execve_audit_len;
+                else
+                        to_send = len_left;
+                /* do we have space left to send this argument in this ab? */
+                room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
+                if (has_cntl)
+                        room_left -= (to_send * 2);
+                else
+                        room_left -= to_send;
+                if (room_left < 0) {
+                        *len_sent = 0;
+                        audit_log_end(*ab);
+                        *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
+                        if (!*ab)
+                                return 0;
+                }
-                ret = copy_from_user(buf, p, len);
                /*
-                 * There is no reason for this copy to be short. We just
+                 * first record needs to say how long the original string was
-                 * copied them here, and the mm hasn't been exposed to user-
+                 * so we can be sure nothing was lost.
-                 * space yet.
+                 */
+                if ((i == 0) && (too_long))
+                        audit_log_format(*ab, "a%d_len=%ld ", arg_num,
+                                         has_cntl ? 2*len : len);
+                /*
+                 * normally arguments are small enough to fit and we already
+                 * filled buf above when we checked for control characters
+                 * so don't bother with another copy_from_user
                 */
+                if (len >= max_execve_audit_len)
+                        ret = copy_from_user(buf, p, to_send);
+                else
+                        ret = 0;
                if (ret) {
                        WARN_ON(1);
                        send_sig(SIGKILL, current, 0);
                }
+                buf[to_send] = '\0';
+                /* actually log it */
+                audit_log_format(*ab, "a%d", arg_num);
+                if (too_long)
+                        audit_log_format(*ab, "[%d]", i);
+                audit_log_format(*ab, "=");
+                if (has_cntl)
+                        audit_log_hex(*ab, buf, to_send);
+                else
+                        audit_log_format(*ab, "\"%s\"", buf);
+                audit_log_format(*ab, "\n");
+                p += to_send;
+                len_left -= to_send;
+                *len_sent += arg_num_len;
+                if (has_cntl)
+                        *len_sent += to_send * 2;
+                else
+                        *len_sent += to_send;
+        }
+        /* include the null we didn't log */
+        return len + 1;
+}
+static void audit_log_execve_info(struct audit_context *context,
+                                  struct audit_buffer **ab,
+                                  struct audit_aux_data_execve *axi)
+{
+        int i;
+        size_t len, len_sent = 0;
+        const char __user *p;
+        char *buf;
-                audit_log_format(ab, "a%d=", i);
+        if (axi->mm != current->mm)
-                audit_log_untrustedstring(ab, buf);
+                return; /* execve failed, no additional info */
-                audit_log_format(ab, "\n");
+        p = (const char __user *)axi->mm->arg_start;
-                kfree(buf);
+        audit_log_format(*ab, "argc=%d ", axi->argc);
+        /*
+         * we need some kernel buffer to hold the userspace args.  Just
+         * allocate one big one rather than allocating one of the right size
+         * for every single argument inside audit_log_single_execve_arg()
+         * should be <8k allocation so should be pretty safe.
+         */
+        buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
+        if (!buf) {
+                audit_panic("out of memory for argv string\n");
+                return;
        }
+        for (i = 0; i < axi->argc; i++) {
+                len = audit_log_single_execve_arg(context, ab, i,
+                                                  &len_sent, p, buf);
+                if (len <= 0)
+                        break;
+                p += len;
+        }
+        kfree(buf);
 }
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1157,7 +1292,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                case AUDIT_EXECVE: {
                        struct audit_aux_data_execve *axi = (void *)aux;
-                        audit_log_execve_info(ab, axi);
+                        audit_log_execve_info(context, &ab, axi);
                        break; }
                case AUDIT_SOCKETCALL: {
@@ -2094,8 +2229,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
        return 0;
 }
-int audit_argv_kb = 32;
 int audit_bprm(struct linux_binprm *bprm)
 {
        struct audit_aux_data_execve *ax;
@@ -2104,14 +2237,6 @@ int audit_bprm(struct linux_binprm *bprm)
        if (likely(!audit_enabled || !context || context->dummy))
                return 0;
-        /*
-         * Even though the stack code doesn't limit the arg+env size any more,
-         * the audit code requires that _all_ arguments be logged in a single
-         * netlink skb. Hence cap it :-(
-         */
-        if (bprm->argv_len > (audit_argv_kb << 10))
-                return -E2BIG;
        ax = kmalloc(sizeof(*ax), GFP_KERNEL);
        if (!ax)
                return -ENOMEM;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index aaaca8a13bbe..6e03322e155b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -78,6 +78,9 @@ extern struct list_head audit_filter_list[];
78	/* Indicates that audit should log the full pathname. */	78	/* Indicates that audit should log the full pathname. */
79	#define AUDIT_NAME_FULL -1	79	#define AUDIT_NAME_FULL -1
80		80
		81	/* no execve audit message should be longer than this (userspace limits) */
		82	#define MAX_EXECVE_AUDIT_LEN 7500
		83
81	/* number of audit rules */	84	/* number of audit rules */
82	int audit_n_rules;	85	int audit_n_rules;
83		86
@@ -965,55 +968,187 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
965	return rc;	968	return rc;
966	}	969	}
967		970
968	static void audit_log_execve_info(struct audit_buffer *ab,	971	/*
969	struct audit_aux_data_execve *axi)	972	* to_send and len_sent accounting are very loose estimates. We aren't
		973	* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
		974	* within about 500 bytes (next page boundry)
		975	*
		976	* why snprintf? an int is up to 12 digits long. if we just assumed when
		977	* logging that a[%d]= was going to be 16 characters long we would be wasting
		978	* space in every audit message. In one 7500 byte message we can log up to
		979	* about 1000 min size arguments. That comes down to about 50% waste of space
		980	* if we didn't do the snprintf to find out how long arg_num_len was.
		981	*/
		982	static int audit_log_single_execve_arg(struct audit_context *context,
		983	struct audit_buffer **ab,
		984	int arg_num,
		985	size_t *len_sent,
		986	const char __user *p,
		987	char *buf)
970	{	988	{
971	int i;	989	char arg_num_len_buf[12];
972	long len, ret;	990	const char __user *tmp_p = p;
973	const char __user *p;	991	/* how many digits are in arg_num? 3 is the length of a=\n */
974	char *buf;	992	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
		993	size_t len, len_left, to_send;
		994	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
		995	unsigned int i, has_cntl = 0, too_long = 0;
		996	int ret;
		997
		998	/* strnlen_user includes the null we don't want to send */
		999	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
975		1000
976	if (axi->mm != current->mm)	1001	/*
977	return; /* execve failed, no additional info */	1002	* We just created this mm, if we can't find the strings
978		1003	* we just copied into it something is _very_ wrong. Similar
979	p = (const char __user *)axi->mm->arg_start;	1004	* for strings that are too long, we should not have created
		1005	* any.
		1006	*/
		1007	if (unlikely((len = -1) \|\| len > MAX_ARG_STRLEN - 1)) {
		1008	WARN_ON(1);
		1009	send_sig(SIGKILL, current, 0);
		1010	}
980		1011
981	for (i = 0; i < axi->argc; i++, p += len) {	1012	/* walk the whole argument looking for non-ascii chars */
982	len = strnlen_user(p, MAX_ARG_STRLEN);	1013	do {
		1014	if (len_left > MAX_EXECVE_AUDIT_LEN)
		1015	to_send = MAX_EXECVE_AUDIT_LEN;
		1016	else
		1017	to_send = len_left;
		1018	ret = copy_from_user(buf, tmp_p, to_send);
983	/*	1019	/*
984	* We just created this mm, if we can't find the strings	1020	* There is no reason for this copy to be short. We just
985	* we just copied into it something is _very_ wrong. Similar	1021	* copied them here, and the mm hasn't been exposed to user-
986	* for strings that are too long, we should not have created	1022	* space yet.
987	* any.
988	*/	1023	*/
989	if (!len \|\| len > MAX_ARG_STRLEN) {	1024	if (ret) {
990	WARN_ON(1);	1025	WARN_ON(1);
991	send_sig(SIGKILL, current, 0);	1026	send_sig(SIGKILL, current, 0);
992	}	1027	}
993		1028	buf[to_send] = '\0';
994	buf = kmalloc(len, GFP_KERNEL);	1029	has_cntl = audit_string_contains_control(buf, to_send);
995	if (!buf) {	1030	if (has_cntl) {
996	audit_panic("out of memory for argv string\n");	1031	/*
		1032	* hex messages get logged as 2 bytes, so we can only
		1033	* send half as much in each message
		1034	*/
		1035	max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
997	break;	1036	break;
998	}	1037	}
		1038	len_left -= to_send;
		1039	tmp_p += to_send;
		1040	} while (len_left > 0);
		1041
		1042	len_left = len;
		1043
		1044	if (len > max_execve_audit_len)
		1045	too_long = 1;
		1046
		1047	/* rewalk the argument actually logging the message */
		1048	for (i = 0; len_left > 0; i++) {
		1049	int room_left;
		1050
		1051	if (len_left > max_execve_audit_len)
		1052	to_send = max_execve_audit_len;
		1053	else
		1054	to_send = len_left;
		1055
		1056	/* do we have space left to send this argument in this ab? */
		1057	room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
		1058	if (has_cntl)
		1059	room_left -= (to_send * 2);
		1060	else
		1061	room_left -= to_send;
		1062	if (room_left < 0) {
		1063	*len_sent = 0;
		1064	audit_log_end(*ab);
		1065	*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
		1066	if (!*ab)
		1067	return 0;
		1068	}
999		1069
1000	ret = copy_from_user(buf, p, len);
1001	/*	1070	/*
1002	* There is no reason for this copy to be short. We just	1071	* first record needs to say how long the original string was
1003	* copied them here, and the mm hasn't been exposed to user-	1072	* so we can be sure nothing was lost.
1004	* space yet.	1073	*/
		1074	if ((i == 0) && (too_long))
		1075	audit_log_format(*ab, "a%d_len=%ld ", arg_num,
		1076	has_cntl ? 2*len : len);
		1077
		1078	/*
		1079	* normally arguments are small enough to fit and we already
		1080	* filled buf above when we checked for control characters
		1081	* so don't bother with another copy_from_user
1005	*/	1082	*/
		1083	if (len >= max_execve_audit_len)
		1084	ret = copy_from_user(buf, p, to_send);
		1085	else
		1086	ret = 0;
1006	if (ret) {	1087	if (ret) {
1007	WARN_ON(1);	1088	WARN_ON(1);
1008	send_sig(SIGKILL, current, 0);	1089	send_sig(SIGKILL, current, 0);
1009	}	1090	}
		1091	buf[to_send] = '\0';
		1092
		1093	/* actually log it */
		1094	audit_log_format(*ab, "a%d", arg_num);
		1095	if (too_long)
		1096	audit_log_format(*ab, "[%d]", i);
		1097	audit_log_format(*ab, "=");
		1098	if (has_cntl)
		1099	audit_log_hex(*ab, buf, to_send);
		1100	else
		1101	audit_log_format(*ab, "\"%s\"", buf);
		1102	audit_log_format(*ab, "\n");
		1103
		1104	p += to_send;
		1105	len_left -= to_send;
		1106	*len_sent += arg_num_len;
		1107	if (has_cntl)
		1108	len_sent += to_send 2;
		1109	else
		1110	*len_sent += to_send;
		1111	}
		1112	/* include the null we didn't log */
		1113	return len + 1;
		1114	}
		1115
		1116	static void audit_log_execve_info(struct audit_context *context,
		1117	struct audit_buffer **ab,
		1118	struct audit_aux_data_execve *axi)
		1119	{
		1120	int i;
		1121	size_t len, len_sent = 0;
		1122	const char __user *p;
		1123	char *buf;
1010		1124
1011	audit_log_format(ab, "a%d=", i);	1125	if (axi->mm != current->mm)
1012	audit_log_untrustedstring(ab, buf);	1126	return; /* execve failed, no additional info */
1013	audit_log_format(ab, "\n");	1127
		1128	p = (const char __user *)axi->mm->arg_start;
1014		1129
1015	kfree(buf);	1130	audit_log_format(*ab, "argc=%d ", axi->argc);
		1131
		1132	/*
		1133	* we need some kernel buffer to hold the userspace args. Just
		1134	* allocate one big one rather than allocating one of the right size
		1135	* for every single argument inside audit_log_single_execve_arg()
		1136	* should be <8k allocation so should be pretty safe.
		1137	*/
		1138	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
		1139	if (!buf) {
		1140	audit_panic("out of memory for argv string\n");
		1141	return;
1016	}	1142	}
		1143
		1144	for (i = 0; i < axi->argc; i++) {
		1145	len = audit_log_single_execve_arg(context, ab, i,
		1146	&len_sent, p, buf);
		1147	if (len <= 0)
		1148	break;
		1149	p += len;
		1150	}
		1151	kfree(buf);
1017	}	1152	}
1018		1153
1019	static void audit_log_exit(struct audit_context context, struct task_struct tsk)	1154	static void audit_log_exit(struct audit_context context, struct task_struct tsk)
@@ -1157,7 +1292,7 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts
1157		1292
1158	case AUDIT_EXECVE: {	1293	case AUDIT_EXECVE: {
1159	struct audit_aux_data_execve axi = (void )aux;	1294	struct audit_aux_data_execve axi = (void )aux;
1160	audit_log_execve_info(ab, axi);	1295	audit_log_execve_info(context, &ab, axi);
1161	break; }	1296	break; }
1162		1297
1163	case AUDIT_SOCKETCALL: {	1298	case AUDIT_SOCKETCALL: {
@@ -2094,8 +2229,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
2094	return 0;	2229	return 0;
2095	}	2230	}
2096		2231
2097	int audit_argv_kb = 32;
2098
2099	int audit_bprm(struct linux_binprm *bprm)	2232	int audit_bprm(struct linux_binprm *bprm)
2100	{	2233	{
2101	struct audit_aux_data_execve *ax;	2234	struct audit_aux_data_execve *ax;
@@ -2104,14 +2237,6 @@ int audit_bprm(struct linux_binprm *bprm)
2104	if (likely(!audit_enabled \|\| !context \|\| context->dummy))	2237	if (likely(!audit_enabled \|\| !context \|\| context->dummy))
2105	return 0;	2238	return 0;
2106		2239
2107	/*
2108	* Even though the stack code doesn't limit the arg+env size any more,
2109	* the audit code requires that _all_ arguments be logged in a single
2110	* netlink skb. Hence cap it :-(
2111	*/
2112	if (bprm->argv_len > (audit_argv_kb << 10))
2113	return -E2BIG;
2114
2115	ax = kmalloc(sizeof(*ax), GFP_KERNEL);	2240	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2116	if (!ax)	2241	if (!ax)
2117	return -ENOMEM;	2242	return -ENOMEM;