v2:
audit: fix possible null-pointer dereference in audit_filter_rules
audit: return early if the rule has a lower priority
v1:
audit: return early if the rule has a lower priority
Gaosheng Cui (2):
audit: fix possible null-pointer dereference in audit_filter_rules
audit: return early if the rule has a lower priority
kernel/auditsc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--
2.30.0
It is not necessary for audit_filter_rules() functions to check
audit fileds of the rule with a lower priority, and if we did,
there might be some unintended effects, such as the ctx->ppid
may be changed unexpectedly, so return early if the rule has
a lower priority.
Signed-off-by: Gaosheng Cui <[email protected]>
---
kernel/auditsc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 42d4a4320526..b517947bfa48 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
u32 sid;
unsigned int sessionid;
+ if (ctx && rule->prio <= ctx->prio)
+ return 0;
+
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
for (i = 0; i < rule->field_count; i++) {
@@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
}
if (ctx) {
- if (rule->prio <= ctx->prio)
- return 0;
if (rule->filterkey) {
kfree(ctx->filterkey);
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
--
2.30.0
On Wed, Oct 13, 2021 at 5:10 AM Gaosheng Cui <[email protected]> wrote:
>
> It is not necessary for audit_filter_rules() functions to check
> audit fileds of the rule with a lower priority, and if we did,
> there might be some unintended effects, such as the ctx->ppid
> may be changed unexpectedly, so return early if the rule has
> a lower priority.
>
> Signed-off-by: Gaosheng Cui <[email protected]>
> ---
> kernel/auditsc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Thanks for this patch, it looks reasonable to me but have you done any
testing with this patch? If so, what have you done?
As a FYI, the audit-testsuite project lives here:
* https://github.com/linux-audit/audit-testsuite
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 42d4a4320526..b517947bfa48 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> u32 sid;
> unsigned int sessionid;
>
> + if (ctx && rule->prio <= ctx->prio)
> + return 0;
> +
> cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
>
> for (i = 0; i < rule->field_count; i++) {
> @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
>
> if (ctx) {
> - if (rule->prio <= ctx->prio)
> - return 0;
> if (rule->filterkey) {
> kfree(ctx->filterkey);
> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
> --
> 2.30.0
--
paul moore
http://www.paul-moore.com
I have done some testing with this patch, we have some testsuites to
verify the
function of audit, and i will test it with the audit-testsuite.
Thanks.
Gaosheng
在 2021/10/14 5:15, Paul Moore 写道:
> On Wed, Oct 13, 2021 at 5:10 AM Gaosheng Cui <[email protected]> wrote:
>> It is not necessary for audit_filter_rules() functions to check
>> audit fileds of the rule with a lower priority, and if we did,
>> there might be some unintended effects, such as the ctx->ppid
>> may be changed unexpectedly, so return early if the rule has
>> a lower priority.
>>
>> Signed-off-by: Gaosheng Cui <[email protected]>
>> ---
>> kernel/auditsc.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
> Thanks for this patch, it looks reasonable to me but have you done any
> testing with this patch? If so, what have you done?
>
> As a FYI, the audit-testsuite project lives here:
> * https://github.com/linux-audit/audit-testsuite
>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 42d4a4320526..b517947bfa48 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
>> u32 sid;
>> unsigned int sessionid;
>>
>> + if (ctx && rule->prio <= ctx->prio)
>> + return 0;
>> +
>> cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
>>
>> for (i = 0; i < rule->field_count; i++) {
>> @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
>> }
>>
>> if (ctx) {
>> - if (rule->prio <= ctx->prio)
>> - return 0;
>> if (rule->filterkey) {
>> kfree(ctx->filterkey);
>> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
>> --
>> 2.30.0