Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9eab339b authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Eric Paris
Browse files

audit: get comm using lock to avoid race in string printing 



When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the output string that would effectively truncate
the rest of the report text after the comm= field in the audit, losing fields.

Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.

Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
parent f874738e

kernel/audit.c

+2 −3
Original line number Diff line number Diff line
@@ -1850,7 +1850,7 @@ EXPORT_SYMBOL(audit_log_task_context); 
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)

{

	const struct cred *cred;

	char name[sizeof(tsk->comm)];

	char comm[sizeof(tsk->comm)];

	struct mm_struct *mm = tsk->mm;

	char *tty;
@@ -1884,9 +1884,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 
			 from_kgid(&init_user_ns, cred->fsgid),

			 tty, audit_get_sessionid(tsk));



	get_task_comm(name, tsk);

	audit_log_format(ab, " comm=");

	audit_log_untrustedstring(ab, name);

	audit_log_untrustedstring(ab, get_task_comm(comm, tsk));



	if (mm) {

		down_read(&mm->mmap_sem);

kernel/auditsc.c

+2 −1
Original line number Diff line number Diff line
@@ -2424,6 +2424,7 @@ static void audit_log_task(struct audit_buffer *ab) 
	kgid_t gid;

	unsigned int sessionid;

	struct mm_struct *mm = current->mm;

	char comm[sizeof(current->comm)];



	auid = audit_get_loginuid(current);

	sessionid = audit_get_sessionid(current);
@@ -2436,7 +2437,7 @@ static void audit_log_task(struct audit_buffer *ab) 
			 sessionid);

	audit_log_task_context(ab);

	audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));

	audit_log_untrustedstring(ab, current->comm);

	audit_log_untrustedstring(ab, get_task_comm(comm, current));

	if (mm) {

		down_read(&mm->mmap_sem);

		if (mm->exe_file)