audit-0.6.2 released
Chris Wright
chrisw at osdl.org
Wed Apr 27 07:26:02 UTC 2005
* Peter Martuccelli (peterm at redhat.com) wrote:
> Hello,
>
> On Fri, 2005-02-11 at 15:22, Stephen Smalley wrote:
> > On Fri, 2005-02-11 at 15:29, Steve Grubb wrote:
> > > Sort of. It fixes the one you saw. However, the corruption Peter was chasing
> > > is probably not related. This was a userspace fix. I think there is a
> > > separate kernel side one that's been discussed in the SE Linux mail list.
> >
> > Yes, we saw corruption in the SELinux avc messages prior to any use of
> > auditd at all, when everything was still being handled by klogd.
> The corruption I was able to track down was in the kernel, this patch
> will fix the problem, (the problem I saw was corrupted avc messages
> which always started with 118 leading white spaces). This is not a
> final patch as I still need to determine what the issue is with printk.
> The "%*.*s" format specifier is not popular in the kernel, iirc it is
> only used in a few routines, which include the audit and avc routines.
>
> So yes there is a separate kernel side issue dealing with corrupted avc
> messages.
>
> --- linux/kernel/audit.c.orig 2005-02-16 13:49:28.839925080 -0500
> +++ linux/kernel/audit.c 2005-02-16 13:53:24.757060224 -0500
> @@ -513,8 +513,8 @@
> if (!audit_pid) { /* No daemon */
> int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
> int len = skb->len - offset;
> - printk(KERN_ERR "%*.*s\n",
> - len, len, skb->data + offset);
> + skb->data[offset + len] = '\0';
> + printk(KERN_ERR "%s\n", skb->data + offset);
> }
> kfree_skb(skb);
> ab->nlh = NULL;
What was your test case? This patch will potentially corrupt data in
skb->data[offset + len]. Typically there's extra space so it's ok, but
at the most that's pointing at the first member for skb_shared_info
(dataref), which could cause a memory leak.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list