Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 83c7d091 authored by David Woodhouse's avatar David Woodhouse
Browse files

AUDIT: Avoid log pollution by untrusted strings. 



We log strings from userspace, such as arguments to open(). These could
be formatted to contain \n followed by fake audit log entries. Provide
a function for logging such strings, which gives a hex dump when the
string contains anything but basic printable ASCII characters. Use it
for logging filenames.

Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent c60c3906

include/linux/audit.h

+7 −1
Original line number Diff line number Diff line
@@ -174,11 +174,15 @@ extern void audit_log_format(struct audit_buffer *ab, 
					     const char *fmt, ...)

			    __attribute__((format(printf,2,3)));

extern void		    audit_log_end(struct audit_buffer *ab);

extern void		    audit_log_hex(struct audit_buffer *ab,

					  const unsigned char *buf,

					  size_t len);

extern void		    audit_log_untrustedstring(struct audit_buffer *ab,

						      const char *string);

extern void		    audit_log_d_path(struct audit_buffer *ab,

					     const char *prefix,

					     struct dentry *dentry,

					     struct vfsmount *vfsmnt);



				/* Private API (for auditsc.c only) */

extern void		    audit_send_reply(int pid, int seq, int type,

					     int done, int multi,
@@ -190,6 +194,8 @@ extern void audit_log_lost(const char *message); 
#define audit_log_vformat(b,f,a) do { ; } while (0)

#define audit_log_format(b,f,...) do { ; } while (0)

#define audit_log_end(b) do { ; } while (0)

#define audit_log_hex(a,b,l) do { ; } while (0)

#define audit_log_untrustedstring(a,s) do { ; } while (0)

#define audit_log_d_path(b,p,d,v) do { ; } while (0)

#endif

#endif

kernel/audit.c

+23 −0
Original line number Diff line number Diff line
@@ -720,6 +720,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 
	va_end(args);

}



void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)

{

	int i;



	for (i=0; i<len; i++)

		audit_log_format(ab, "%02x", buf[i]);

}



void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)

{

	const char *p = string;



	while (*p) {

		if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {

			audit_log_hex(ab, string, strlen(string));

			return;

		}

		p++;

	}

	audit_log_format(ab, "\"%s\"", string);

}





/* This is a helper-function to print the d_path without using a static

 * buffer or allocating another buffer in addition to the one in

 * audit_buffer. */

kernel/auditsc.c

+4 −3
Original line number Diff line number Diff line
@@ -696,9 +696,10 @@ static void audit_log_exit(struct audit_context *context) 
		if (!ab)

			continue; /* audit_panic has been called */

		audit_log_format(ab, "item=%d", i);

		if (context->names[i].name)

			audit_log_format(ab, " name=%s",

					 context->names[i].name);

		if (context->names[i].name) {

			audit_log_format(ab, " name=");

			audit_log_untrustedstring(ab, context->names[i].name);

		}

		if (context->names[i].ino != (unsigned long)-1)

			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"

					     " uid=%d gid=%d rdev=%02x:%02x",