[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit-0.6.2 released



Stephen Smalley wrote:
>>Sort of. It fixes the one you saw. However, the corruption Peter was chasing 
>>is probably not related. This was a userspace fix. I think there is a 
>>separate kernel side one that's been discussed in the SE Linux mail list.
> 
> Yes, we saw corruption in the SELinux avc messages prior to any use of
> auditd at all, when everything was still being handled by klogd.
> 

This is my guess though line 356 and 372 in audit.c looks suspicious.

            audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
                     " length=%d msg='%.1024s'",
                     pid, uid,
                     login->loginuid,
                     login->msglen,
                     login->msg);

It assumes msg is C string but guess if it is not. It tries to print 1024 byes
in worst case. It is probably safer change this line to:

            audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
                     " length=%d msg='%.*s'",
                     pid, uid,
                     login->loginuid,
                     login->msglen,
                     login->msglen,
                     login->msg);

It won't be overhead since either way it passes length.
I noticed it a while back ago but didn't report it 'cuz I'm not 100%
sure if msg string null termination is always guaranteed or not.
If so then there could be some other kernel thread is stomping its tail...

Hope this helps.

-- Junji


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]