Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings

From: Miloslav TrmaÄ
Date: Thu Sep 11 2008 - 15:40:24 EST


Andrew Morton pÃÅe v Ät 11. 09. 2008 v 12:14 -0700:
> On Thu, 11 Sep 2008 00:23:38 +0200
> Miloslav Trma__ <mitr@xxxxxxxxxx> wrote:
>
> > The audit record can thus contain a NUL byte (and some unchecked data
> > after that). Because the user-space audit daemon treats audit records
> > as NUL-terminated strings, an untrusted string that is shorter than the
> > specified maximum length effectively terminates the audit record.
> >

> It's unclear how serious this problem is.
* AUDIT_USER_TTY records (which are sent from user-space with a trailing
NUL byte) are missing a terminating '"' character.
* Some data is not recorded in AUDIT_TTY records, and the terminating
'"' character is missing in that case as well.

> Do you believe that it is
> sufficiently serious to warrant merging these fixes into 2.6.27?
> 2.6.26.x? 2.6.25.x?
This patch (1/2) only fixes creation of incorrectly formatted, but
easy-to-understand audit records; it would be nice to have it in 2.6.27
(assuming the audit maintainer acks it - or a variant of it). The other
one (2/2), which makes sure all TTY audit data is recorded, should
probably be merged in the stable releases as well.
Mirek

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/