[RFC][PATCH] (#6) filesystem auditing

Chris Wright chrisw at osdl.org
Tue Mar 15 22:44:14 UTC 2005


* Steve Grubb (sgrubb at redhat.com) wrote:
> On Monday 14 March 2005 18:14, Timothy R. Chavez wrote:
> > This patch has enough changes in it to be called patch #6
> 
> I just noticed this in audit.h:
> 
> struct audit_watch {
>        int     namelen;
>        int     fklen;
> 
> Shouldn't these be pinned down to a byte size? Like __u32 or __u16? It seems 
> safer to me when you consider userspace to kernel packets and whether the 
> kernel is 64 bit and userspace 32 bit.

IIUC, they'd be 32 bit in either case, but can't hurt to be specific.

> But more interesting...what if a -1 was sent for fklen?
> 
> +       if (req->fklen) {
> +               ret = -ENOMEM;
> +               filterkey = kmalloc(req->fklen, GFP_KERNEL);
> 
> Kaboom...

Luckily, your kmalloc(-1) example would fail (there's no slab that
big), but if there's no value in having the lens be signed, then make
'em unsigned.  And, of course, assume all userspace data is unsafe and
do sanity checking.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list