Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c32c8af4 authored by Al Viro's avatar Al Viro
Browse files

sanitize AUDIT_MQ_SENDRECV 



* logging the original value of *msg_prio in mq_timedreceive(2)
  is insane - the argument is write-only (i.e. syscall always
  ignores the original value and only overwrites it).
* merge __audit_mq_timed{send,receive}
* don't do copy_from_user() twice
* don't mess with allocations in auditsc part
* ... and don't bother checking !audit_enabled and !context in there -
  we'd already checked for audit_dummy_context().

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 20114f71

include/linux/audit.h

+4 −13
Original line number Diff line number Diff line
@@ -451,8 +451,7 @@ extern int audit_sockaddr(int len, void *addr); 
extern int __audit_fd_pair(int fd1, int fd2);

extern int audit_set_macxattr(const char *name);

extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr);

extern int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout);

extern int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout);

extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);

extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);

extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);

extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
@@ -482,17 +481,10 @@ static inline int audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u 
		return __audit_mq_open(oflag, mode, u_attr);

	return 0;

}

static inline int audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout)

static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)

{

	if (unlikely(!audit_dummy_context()))

		return __audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout);

	return 0;

}

static inline int audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout)

{

	if (unlikely(!audit_dummy_context()))

		return __audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);

	return 0;

		__audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);

}

static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)

{
@@ -550,8 +542,7 @@ extern int audit_signals; 
#define audit_sockaddr(len, addr) ({ 0; })

#define audit_set_macxattr(n) do { ; } while (0)

#define audit_mq_open(o,m,a) ({ 0; })

#define audit_mq_timedsend(d,l,p,t) ({ 0; })

#define audit_mq_timedreceive(d,l,p,t) ({ 0; })

#define audit_mq_sendrecv(d,l,p,t) ((void)0)

#define audit_mq_notify(d,n) ((void)0)

#define audit_mq_getsetattr(d,s) ((void)0)

#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })

ipc/mqueue.c

+30 −24
Original line number Diff line number Diff line
@@ -524,31 +524,27 @@ static void __do_notify(struct mqueue_inode_info *info) 
	wake_up(&info->wait_q);

}



static long prepare_timeout(const struct timespec __user *u_arg)

static long prepare_timeout(struct timespec *p)

{

	struct timespec ts, nowts;

	struct timespec nowts;

	long timeout;



	if (u_arg) {

		if (unlikely(copy_from_user(&ts, u_arg,

					sizeof(struct timespec))))

			return -EFAULT;



		if (unlikely(ts.tv_nsec < 0 || ts.tv_sec < 0

			|| ts.tv_nsec >= NSEC_PER_SEC))

	if (p) {

		if (unlikely(p->tv_nsec < 0 || p->tv_sec < 0

			|| p->tv_nsec >= NSEC_PER_SEC))

			return -EINVAL;

		nowts = CURRENT_TIME;

		/* first subtract as jiffies can't be too big */

		ts.tv_sec -= nowts.tv_sec;

		if (ts.tv_nsec < nowts.tv_nsec) {

			ts.tv_nsec += NSEC_PER_SEC;

			ts.tv_sec--;

		p->tv_sec -= nowts.tv_sec;

		if (p->tv_nsec < nowts.tv_nsec) {

			p->tv_nsec += NSEC_PER_SEC;

			p->tv_sec--;

		}

		ts.tv_nsec -= nowts.tv_nsec;

		if (ts.tv_sec < 0)

		p->tv_nsec -= nowts.tv_nsec;

		if (p->tv_sec < 0)

			return 0;



		timeout = timespec_to_jiffies(&ts) + 1;

		timeout = timespec_to_jiffies(p) + 1;

	} else

		return MAX_SCHEDULE_TIMEOUT;
@@ -829,17 +825,22 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, 
	struct ext_wait_queue *receiver;

	struct msg_msg *msg_ptr;

	struct mqueue_inode_info *info;

	struct timespec ts, *p = NULL;

	long timeout;

	int ret;



	ret = audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout);

	if (ret != 0)

		return ret;

	if (u_abs_timeout) {

		if (copy_from_user(&ts, u_abs_timeout, 

					sizeof(struct timespec)))

			return -EFAULT;

		p = &ts;

	}



	if (unlikely(msg_prio >= (unsigned long) MQ_PRIO_MAX))

		return -EINVAL;



	timeout = prepare_timeout(u_abs_timeout);

	audit_mq_sendrecv(mqdes, msg_len, msg_prio, p);

	timeout = prepare_timeout(p);



	ret = -EBADF;

	filp = fget(mqdes);
@@ -918,12 +919,17 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, 
	struct inode *inode;

	struct mqueue_inode_info *info;

	struct ext_wait_queue wait;

	struct timespec ts, *p = NULL;



	ret = audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);

	if (ret != 0)

		return ret;

	if (u_abs_timeout) {

		if (copy_from_user(&ts, u_abs_timeout, 

					sizeof(struct timespec)))

			return -EFAULT;

		p = &ts;

	}



	timeout = prepare_timeout(u_abs_timeout);

	audit_mq_sendrecv(mqdes, msg_len, 0, p);

	timeout = prepare_timeout(p);



	ret = -EBADF;

	filp = fget(mqdes);

kernel/auditsc.c

+29 −98
Original line number Diff line number Diff line
@@ -131,14 +131,6 @@ struct audit_aux_data_mq_open { 
	struct mq_attr		attr;

};



struct audit_aux_data_mq_sendrecv {

	struct audit_aux_data	d;

	mqd_t			mqdes;

	size_t			msg_len;

	unsigned int		msg_prio;

	struct timespec		abs_timeout;

};



struct audit_aux_data_execve {

	struct audit_aux_data	d;

	int argc;
@@ -244,6 +236,12 @@ struct audit_context { 
			mqd_t			mqdes;

			int			sigev_signo;

		} mq_notify;

		struct {

			mqd_t			mqdes;

			size_t			msg_len;

			unsigned int		msg_prio;

			struct timespec		abs_timeout;

		} mq_sendrecv;

	};



#if AUDIT_DEBUG
@@ -1265,6 +1263,16 @@ static void show_special(struct audit_context *context, int *call_panic) 
				return;

		}

		break; }

	case AUDIT_MQ_SENDRECV: {

		audit_log_format(ab,

			"mqdes=%d msg_len=%zd msg_prio=%u "

			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",

			context->mq_sendrecv.mqdes,

			context->mq_sendrecv.msg_len,

			context->mq_sendrecv.msg_prio,

			context->mq_sendrecv.abs_timeout.tv_sec,

			context->mq_sendrecv.abs_timeout.tv_nsec);

		break; }

	case AUDIT_MQ_NOTIFY: {

		audit_log_format(ab, "mqdes=%d sigev_signo=%d",

				context->mq_notify.mqdes,
@@ -1370,15 +1378,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts 
				axi->attr.mq_curmsgs);

			break; }



		case AUDIT_MQ_SENDRECV: {

			struct audit_aux_data_mq_sendrecv *axi = (void *)aux;

			audit_log_format(ab,

				"mqdes=%d msg_len=%zd msg_prio=%u "

				"abs_timeout_sec=%ld abs_timeout_nsec=%ld",

				axi->mqdes, axi->msg_len, axi->msg_prio,

				axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);

			break; }



		case AUDIT_EXECVE: {

			struct audit_aux_data_execve *axi = (void *)aux;

			audit_log_execve_info(context, &ab, axi);
@@ -2171,97 +2170,29 @@ int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 
}



/**

 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send

 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive

 * @mqdes: MQ descriptor

 * @msg_len: Message length

 * @msg_prio: Message priority

 * @u_abs_timeout: Message timeout in absolute time

 * @abs_timeout: Message timeout in absolute time

 *

 * Returns 0 for success or NULL context or < 0 on error.

 */

int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,

			const struct timespec __user *u_abs_timeout)

void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,

			const struct timespec *abs_timeout)

{

	struct audit_aux_data_mq_sendrecv *ax;

	struct audit_context *context = current->audit_context;

	struct timespec *p = &context->mq_sendrecv.abs_timeout;



	if (!audit_enabled)

		return 0;



	if (likely(!context))

		return 0;



	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);

	if (!ax)

		return -ENOMEM;



	if (u_abs_timeout != NULL) {

		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {

			kfree(ax);

			return -EFAULT;

		}

	} else

		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));



	ax->mqdes = mqdes;

	ax->msg_len = msg_len;

	ax->msg_prio = msg_prio;



	ax->d.type = AUDIT_MQ_SENDRECV;

	ax->d.next = context->aux;

	context->aux = (void *)ax;

	return 0;

}



/**

 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive

 * @mqdes: MQ descriptor

 * @msg_len: Message length

 * @u_msg_prio: Message priority

 * @u_abs_timeout: Message timeout in absolute time

 *

 * Returns 0 for success or NULL context or < 0 on error.

 */

int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,

				unsigned int __user *u_msg_prio,

				const struct timespec __user *u_abs_timeout)

{

	struct audit_aux_data_mq_sendrecv *ax;

	struct audit_context *context = current->audit_context;



	if (!audit_enabled)

		return 0;



	if (likely(!context))

		return 0;



	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);

	if (!ax)

		return -ENOMEM;



	if (u_msg_prio != NULL) {

		if (get_user(ax->msg_prio, u_msg_prio)) {

			kfree(ax);

			return -EFAULT;

		}

	} else

		ax->msg_prio = 0;



	if (u_abs_timeout != NULL) {

		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {

			kfree(ax);

			return -EFAULT;

		}

	} else

		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));

	if (abs_timeout)

		memcpy(p, abs_timeout, sizeof(struct timespec));

	else

		memset(p, 0, sizeof(struct timespec));



	ax->mqdes = mqdes;

	ax->msg_len = msg_len;

	context->mq_sendrecv.mqdes = mqdes;

	context->mq_sendrecv.msg_len = msg_len;

	context->mq_sendrecv.msg_prio = msg_prio;



	ax->d.type = AUDIT_MQ_SENDRECV;

	ax->d.next = context->aux;

	context->aux = (void *)ax;

	return 0;

	context->type = AUDIT_MQ_SENDRECV;

}



/**