2021-10-13 09:11:58

by Gaosheng Cui

[permalink] [raw]
Subject: [PATCH -next,v2 0/2] Audit: fix warning and check priority early

v2:
audit: fix possible null-pointer dereference in audit_filter_rules
audit: return early if the rule has a lower priority
v1:
audit: return early if the rule has a lower priority

Gaosheng Cui (2):
audit: fix possible null-pointer dereference in audit_filter_rules
audit: return early if the rule has a lower priority

kernel/auditsc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--
2.30.0


2021-10-13 09:12:09

by Gaosheng Cui

[permalink] [raw]
Subject: [PATCH -next,v2 2/2] audit: return early if the rule has a lower priority

It is not necessary for audit_filter_rules() functions to check
audit fileds of the rule with a lower priority, and if we did,
there might be some unintended effects, such as the ctx->ppid
may be changed unexpectedly, so return early if the rule has
a lower priority.

Signed-off-by: Gaosheng Cui <[email protected]>
---
kernel/auditsc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 42d4a4320526..b517947bfa48 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
u32 sid;
unsigned int sessionid;

+ if (ctx && rule->prio <= ctx->prio)
+ return 0;
+
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);

for (i = 0; i < rule->field_count; i++) {
@@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
}

if (ctx) {
- if (rule->prio <= ctx->prio)
- return 0;
if (rule->filterkey) {
kfree(ctx->filterkey);
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
--
2.30.0

2021-10-13 21:20:24

by Paul Moore

[permalink] [raw]
Subject: Re: [PATCH -next,v2 2/2] audit: return early if the rule has a lower priority

On Wed, Oct 13, 2021 at 5:10 AM Gaosheng Cui <[email protected]> wrote:
>
> It is not necessary for audit_filter_rules() functions to check
> audit fileds of the rule with a lower priority, and if we did,
> there might be some unintended effects, such as the ctx->ppid
> may be changed unexpectedly, so return early if the rule has
> a lower priority.
>
> Signed-off-by: Gaosheng Cui <[email protected]>
> ---
> kernel/auditsc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)

Thanks for this patch, it looks reasonable to me but have you done any
testing with this patch? If so, what have you done?

As a FYI, the audit-testsuite project lives here:
* https://github.com/linux-audit/audit-testsuite

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 42d4a4320526..b517947bfa48 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> u32 sid;
> unsigned int sessionid;
>
> + if (ctx && rule->prio <= ctx->prio)
> + return 0;
> +
> cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
>
> for (i = 0; i < rule->field_count; i++) {
> @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
>
> if (ctx) {
> - if (rule->prio <= ctx->prio)
> - return 0;
> if (rule->filterkey) {
> kfree(ctx->filterkey);
> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
> --
> 2.30.0

--
paul moore
http://www.paul-moore.com

2021-10-18 03:30:41

by Gaosheng Cui

[permalink] [raw]
Subject: Re: [PATCH -next,v2 2/2] audit: return early if the rule has a lower priority

I have done some testing with this patch, we have some testsuites to
verify the

function of audit, and i will test it with the audit-testsuite.

Thanks.

Gaosheng

在 2021/10/14 5:15, Paul Moore 写道:
> On Wed, Oct 13, 2021 at 5:10 AM Gaosheng Cui <[email protected]> wrote:
>> It is not necessary for audit_filter_rules() functions to check
>> audit fileds of the rule with a lower priority, and if we did,
>> there might be some unintended effects, such as the ctx->ppid
>> may be changed unexpectedly, so return early if the rule has
>> a lower priority.
>>
>> Signed-off-by: Gaosheng Cui <[email protected]>
>> ---
>> kernel/auditsc.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
> Thanks for this patch, it looks reasonable to me but have you done any
> testing with this patch? If so, what have you done?
>
> As a FYI, the audit-testsuite project lives here:
> * https://github.com/linux-audit/audit-testsuite
>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 42d4a4320526..b517947bfa48 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
>> u32 sid;
>> unsigned int sessionid;
>>
>> + if (ctx && rule->prio <= ctx->prio)
>> + return 0;
>> +
>> cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
>>
>> for (i = 0; i < rule->field_count; i++) {
>> @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
>> }
>>
>> if (ctx) {
>> - if (rule->prio <= ctx->prio)
>> - return 0;
>> if (rule->filterkey) {
>> kfree(ctx->filterkey);
>> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
>> --
>> 2.30.0