[PATCH] audit: missing variable declaration/initialization when AUDIT_DEBUG == 2.

Peter Moody pmoody at google.com
Thu Jul 26 15:09:43 UTC 2012 

On Thu, Jul 26, 2012 at 5:34 AM, Jeff Layton <jlayton at redhat.com> wrote:
> On Wed, 18 Jul 2012 14:30:41 -0700
> Peter Moody <pmoody at google.com> wrote:
>
>> Additionally it looks like audit_free_names might return too early when
>> AUDIT_DEBUG was set to 2.
>>
>> Signed-off-by: Peter Moody <pmoody at google.com>
>> ---
>>  kernel/auditsc.c |    8 ++++----
>>  1 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 4b96415..0c1db46 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -997,6 +997,7 @@ static inline void audit_free_names(struct audit_context *context)
>>
>>  #if AUDIT_DEBUG == 2
>>       if (context->put_count + context->ino_count != context->name_count) {
>> +             int i = 0;
>>               printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
>>                      " name_count=%d put_count=%d"
>>                      " ino_count=%d [NOT freeing]\n",
>> @@ -1005,11 +1006,10 @@ static inline void audit_free_names(struct audit_context *context)
>>                      context->name_count, context->put_count,
>>                      context->ino_count);
>>               list_for_each_entry(n, &context->names_list, list) {
>> -                     printk(KERN_ERR "names[%d] = %p = %s\n", i,
>> +                     printk(KERN_ERR "names[%d] = %p = %s\n", i++,
>>                              n->name, n->name ?: "(null)");
>>               }
>>               dump_stack();
>> -             return;
>>       }
>
> I'm not certain what the intent of this code was, but if you remove the
> "return" above, then the printk above it that says "[NOT FREEING]". Will
> no longer be valid.

Oh, good point. I was going from what I presumed the intent to be from
the comment from above __audit_syscall_exit

/**
 * Tear down after system call.  If the audit context has been marked as
 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
 * filtering, or because some other part of the kernel wrote an audit
 * message), then write out the syscall information.  In call cases,
 * free the names stored from getname().
 */

(and I am assuming that 'in call cases' is a typo for 'in all cases')

The other thing is that my testing indicated that my box hung if
audit_free_names returned right there.

I need to wait for Eric anyway; hopefully he'll be able to shed some light.

Cheers,
peter

>>  #endif
>>  #if AUDIT_DEBUG
>> @@ -2084,10 +2084,10 @@ void audit_putname(const char *name)
>>                      __FILE__, __LINE__, context->serial, name);
>>               if (context->name_count) {
>>                       struct audit_names *n;
>> -                     int i;
>> +                     int i = 0;
>>
>>                       list_for_each_entry(n, &context->names_list, list)
>> -                             printk(KERN_ERR "name[%d] = %p = %s\n", i,
>> +                             printk(KERN_ERR "name[%d] = %p = %s\n", i++,
>>                                      n->name, n->name ?: "(null)");
>>                       }
>>  #endif



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list