Re: [PATCH] audit: catch possible NULL audit buffers

From: Kees Cook
Date: Mon Nov 19 2012 - 17:26:49 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH 2/2] ACPI / platform: Initialize ACPI handles of platformdevices in advance"
Previous message: Andrew Morton: "Re: [PATCH 2/8] mm: frontswap: lazy initialization to allow tmembackends to build/run as modules"
In reply to: Andrew Morton: "Re: [PATCH] audit: catch possible NULL audit buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 19, 2012 at 2:14 PM, Andrew Morton
<akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Mon, 19 Nov 2012 14:00:51 -0800
> Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>> It's possible for audit_log_start() to return NULL. Handle it in the
>> various callers.
>>
>> ...
>>
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -272,6 +272,8 @@ static int audit_log_config_change(char *function_name, int new, int old,
>> int rc = 0;
>>
>> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
>> + if (unlikely(!ab))
>> + return rc;
>
> Returning success here looks suspicious. audit_do_config_change() will
> fail to take its wtf-just-happened action (which
> audit_log_config_change() duplicates, btw).

It seemed like the only meaningful rc was from when
security_secid_to_secctx failed, which changes the audit report and
has external side-effects that seem specific to that condition. It
seemed that audit_log_start() failing was less of a problem than
security_secid_to_secctx failing, which seems supposed be all the
other code in the kernel that gives up if audit_log_start() fails.

> Meanwhile audit_receive_msg() is off living in a happy land where
> nothing ever goes wrong.

Right, this reinforced my perceptions that a audit_log_start() failure
wasn't meaningful to propagate to callers of
audit_log_config_change().

>
>> audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
>> old, from_kuid(&init_user_ns, loginuid), sessionid);
>> if (sid) {
>> @@ -619,6 +621,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
>> }
>>
>> *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
>> + if (unlikely(!*ab))
>> + return rc;
>
> Also looks fishy.

Without any callers checking the return value, it seemed useless to
propagate here too.

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "Re: [PATCH 2/2] ACPI / platform: Initialize ACPI handles of platformdevices in advance"
Previous message: Andrew Morton: "Re: [PATCH 2/8] mm: frontswap: lazy initialization to allow tmembackends to build/run as modules"
In reply to: Andrew Morton: "Re: [PATCH] audit: catch possible NULL audit buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]