[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bug?: audit filtering on negative values



On Wed, 2006-01-18 at 15:21 -0500, Steve Grubb wrote:
> On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> > What kernel are you testing on?  I just checked the latest kernel
> > (lspp.6) and this does look like a problem:
> >
> > struct audit_field {
> >         u32                     type;
> >         u32                     val;
> >         u32                     op;
> > };
> >
> >
> > We only allow unsigned val(ues).  Eek
> 
> Right and that's because this is what the context stores:
> 
> 129 struct audit_context {
> 136         unsigned long       argv[4];    /* syscall arguments */
> 
> 
> -Steve
> 

Sorry if I seem a little dense, but I'm not sure what you're getting at.
The context stores:

long                return_code;/* syscall return code */


Which is signed and logged as "exit=".  This would be a problem when
comparing the u32 audut_field val(ue) against it, right?

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]