Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10623424ybi; Thu, 25 Jul 2019 02:36:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqzYOdqCglbnAFv1DOS+DWvRwYO6z7eE94mbBGPR4JPLYSJOWZIcMQJ58IUKaTHZA3ucDz6T X-Received: by 2002:a17:902:2d01:: with SMTP id o1mr92154766plb.105.1564047367489; Thu, 25 Jul 2019 02:36:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564047367; cv=none; d=google.com; s=arc-20160816; b=KqO6X7dpPqZOUnGPQZMBfBa5YuKJBh7tmanDKX00JWZ29fJJzLqnUIe40MVmfhBXbM uF8suo3TSzpuFGx5FoClD/zvpUv8ZbS+8VGWEnZHG8Sx1/oDtl9HwKEJIVhQe+o6tmOw zGmsQtQ+/bqdGOU4ua3Bu5SU48s3HjVYmBcxQkF+nUbghtpVHRyUFmPQDZfx0iAsUncd 7IY5NibJLZbr327Gt/GVZ1KfvT8EaATMMnp1ehmmo+inmemhMcVlMs7tAugLyCFNojoX FHhNyrr+AmvikKTiWTit3fHIdaUkLO4MelyM6fezuaf9KPSNq39EVQpb1LQic/FQtaFQ M1lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=jchNrpEFta2pR8g8F+xkNJeAvSbMUE7xllhKBLOSK2c=; b=iE7nXntrDkX7tH4oBFfDlGAiAC5b0ncztuUJ0ZWmXZuQnATkDSbn6HK5XJZ6rrxhLD /Yxnm1YtzDkBSq+qes1QemP4I1NbU2rdPUA6lx01mwB2smrhaEucEI4EAcRSzRW/P1SC xdJlLZsvqOzxgkwor0ylj2hTRs+Yhuu/nY9+KXt75TpxyFiviXouLfxWLgE645aOpCzC kcEHuIYv2B6ISPUWx7pTWbAMIW+ppRDIzj+pUQ1o92o3cA1XPhRxtwVr53Fj3YreFeib K1k2vxTU56xBW/NyD8YRDP1y8bUEfCbCa001quMbbvBHIme6+IX8t0jJR+vuP62cw21j S6RQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=MT7C+GiD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g12si17085894pgs.249.2019.07.25.02.35.42; Thu, 25 Jul 2019 02:36:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=MT7C+GiD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728032AbfGXUqG (ORCPT + 99 others); Wed, 24 Jul 2019 16:46:06 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:38234 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726762AbfGXUqG (ORCPT ); Wed, 24 Jul 2019 16:46:06 -0400 Received: by mail-lj1-f196.google.com with SMTP id r9so45801008ljg.5 for ; Wed, 24 Jul 2019 13:46:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jchNrpEFta2pR8g8F+xkNJeAvSbMUE7xllhKBLOSK2c=; b=MT7C+GiDQsqfC6X4YF7XxqEjuHYQy6MkJXzY4VC0qhnNA7PObwYrofbT0r598vkaqm tZd01yPjirtGKecjfAo34GEk7/kG/ltr2AkDz4xEN22dwQQmQ4xTWp+vmZg+uRHb7ACL 37l+PyATPULqjEz3PWn7dodMVvq3EtqfVP0OHwtsKRWIYMB95cxIP3yBLfwwy5zSPiPa H5fQ0tFczUX9E2hmwBqB5Jwios+1t4mTttpb0hKRTQfCEoQXL+PiHvOhsXknjLaMK4Vc msC92JHlEnCp9cWJnB2PcX/Afmg3RThj36Nl5GOUvXTPeKvth4kwjALe4x/d6e21L9f6 Aq+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jchNrpEFta2pR8g8F+xkNJeAvSbMUE7xllhKBLOSK2c=; b=eVzj9sJb6s6AXaMUJS3pUp6n85ZZIzLMKZvN+AoYYkMzZr4qquuF9FdXbkh6P7VSOl loEYrPiK1o+cE/N03UqR0u9ZugS/cHYeyfHkkaMeyITFYLG9/p+i3UqOQeSitv4N3vrf P01YNt5GdrifKtbV6DbeFKYfxns0Yz5lf80UQZil1QIWOFqFy/Yi4At3LsqNvueUkx0O hYnMP23FETM7VWT9A014feSnAJpq4GO93GSeuUoVC0pjwnr/xxaWbK32ZItFSvPagCNX ni1C51rUEOC6ivcxJ3FBWsbXSanbF/82y9KdLQtMmKtWtV6qqCjj49KRtNQkrgjFfm0f ngug== X-Gm-Message-State: APjAAAULhoU9lkm+x9bJoD8PltlZqB0EuzqNQOgnt3n0NzTtWf7UkgXE TUf7FqEtozJDEkgQEdiYWWynVVBKN8AS4+oMbw== X-Received: by 2002:a2e:9dc1:: with SMTP id x1mr44291493ljj.0.1564001163840; Wed, 24 Jul 2019 13:46:03 -0700 (PDT) MIME-Version: 1.0 References: <20190723124951.25713-1-baijiaju1990@gmail.com> In-Reply-To: <20190723124951.25713-1-baijiaju1990@gmail.com> From: Paul Moore Date: Wed, 24 Jul 2019 16:45:52 -0400 Message-ID: Subject: Re: [PATCH] kernel: auditfilter: Fix a possible null-pointer dereference in audit_watch_path() To: Jia-Ju Bai Cc: Eric Paris , linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 23, 2019 at 8:50 AM Jia-Ju Bai wrote: > In audit_find_rule(), there is an if statement on line 894 to check > whether entry->rule.watch is NULL: > else if (entry->rule.watch) > > If entry->rule.watch is NULL, audit_compare_rule on 910 is called: > audit_compare_rule(&entry->rule, &e->rule)) > > In audit_compare_rule(), a->watch is used on line 720: > if (strcmp(audit_watch_path(a->watch), ...) > > In this case, a->watch is NULL, and audit_watch_path() will use: > watch->path > > Thus, a possible null-pointer dereference may occur in this case. > > To fix this possible bug, an if statement is added in > audit_compare_rule() to check a->watch before using a->watch. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai > --- > kernel/auditfilter.c | 2 ++ > 1 file changed, 2 insertions(+) Thank you for taking the time to analyze the kernel's audit subsystem and send a report, but I believe this is a false positive. The only way we can hit the AUDIT_WATCH comparison in audit_compare_rules is if both rules are AUDIT_WATCH rules, and when we create the audit_krule entries we ensure that the watch field is correctly populated for AUDIT_WATCH rules, see the audit_data_to_entry() and audit_to_watch() functions. If you disagree with this, please let us know, but as of right now I don't believe there is a problem here. > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index b0126e9c0743..b0ad17b14609 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -717,6 +717,8 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) > return 1; > break; > case AUDIT_WATCH: > + if (!a->watch) > + break; > if (strcmp(audit_watch_path(a->watch), > audit_watch_path(b->watch))) > return 1; > -- > 2.17.0 -- paul moore www.paul-moore.com