Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932353AbbDNXzr (ORCPT <rfc822;w@1wt.eu>);
	Tue, 14 Apr 2015 19:55:47 -0400
Received: from tundra.namei.org ([65.99.196.166]:32937 "EHLO namei.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751768AbbDNXzi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 14 Apr 2015 19:55:38 -0400
Date: Wed, 15 Apr 2015 09:55:24 +1000 (AEST)
From: James Morris <jmorris@namei.org>
To: Richard Guy Briggs <rgb@redhat.com>
cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-audit@redhat.com, sgrubb@redhat.com, eparis@parisplace.org,
        pmoore@redhat.com, penguin-kernel@I-love.SAKURA.ne.jp
Subject: Re: [PATCH] lsm: copy comm before calling audit_log to avoid race
 in string printing
In-Reply-To: <2762230afd590c4c6f50c4905ef91738a4f38e4c.1429023587.git.rgb@redhat.com>
Message-ID: <alpine.LRH.2.11.1504150955110.14302@namei.org>
References: <2762230afd590c4c6f50c4905ef91738a4f38e4c.1429023587.git.rgb@redhat.com>
User-Agent: Alpine 2.11 (LRH 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1585
Lines: 36

On Tue, 14 Apr 2015, Richard Guy Briggs wrote:

> When task->comm is passed directly to audit_log_untrustedstring() without
> getting a copy or using the task_lock, there is a race that could happen that
> would output a NULL (\0) in the middle of the output string that would
> effectively truncate the rest of the report text after the comm= field in the
> audit log message, losing fields.
> 
> Using get_task_comm() to get a copy while acquiring the task_lock to prevent
> this and to prevent the result from being a mixture of old and new values of
> comm would incur potentially unacceptable overhead, considering that the value
> can be influenced by userspace and therefore untrusted anyways.
> 
> Copy the value before passing it to audit_log_untrustedstring() ensures that a
> local copy is used to calculate the length *and* subsequently printed.  Even if
> this value contains a mix of old and new values, it will only calculate and
> copy up to the first NULL, preventing the rest of the audit log message being
> truncated.
> 
> Use a second local copy of comm to avoid a race between the first and second
> calls to audit_log_untrustedstring() with comm.
> 
> Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Applied.

-- 
James Morris
<jmorris@namei.org>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/