From: Miloslav Trmač <mitr@redhat.com> Date: Tue, 16 Sep 2008 11:31:16 +0000 Subject: [audit] fix NUL handling in TTY input auditing Message-id: 1221564676.2728.38.camel@amilo O-Subject: [RHEL5.3 PATCH] Fix NUL handling in TTY input auditing Bugzilla: 462441 RH-Acked-by: Eric Paris <eparis@redhat.com> bz#462441, a correction to #244135 https://bugzilla.redhat.com/show_bug.cgi?id=462441 https://bugzilla.redhat.com/show_bug.cgi?id=244135 The patch for TTY input auditing submitted for 5.3 does not handle NUL characters in TTY input (can be created e.g. by pressing Ctrl-2) nor NUL characters in AUDIT_USER_TTY audit records (which can be sent from shells and other unconfined processes run by root). This patch: 1. Logs all TTY input using the hexadecimal encoding. The data can reasonably contain NUL characters, so it is not a "string" (in the C universe). 2. Modifies audit_n_untrustedstring() to tread NULs in strings as untrusted characters, not as terminators. This affects only AUDIT_USER_TTY. 3. Modifies AUDIT_USER_TTY handler to strip a trailing NUL byte sent form user-space, if present. Tested on i686 in qemu (tried USER_TTY with and without NUL, and AUDIT_USER_TTY). Upstream status: Sent upstream, discussed with upstream kernel audit maintainers, not in the subsystem tree (nor mainline) yet. diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c index 3619cf9..f894b65 100644 --- a/drivers/char/tty_audit.c +++ b/drivers/char/tty_audit.c @@ -91,7 +91,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid, get_task_comm(name, tsk); audit_log_untrustedstring(ab, name); audit_log_format(ab, " data="); - audit_log_n_untrustedstring(ab, buf->valid, buf->data); + audit_log_hex(ab, buf->data, buf->valid); audit_log_end(ab); } buf->valid = 0; diff --git a/kernel/audit.c b/kernel/audit.c index d571115..b81717c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -759,6 +759,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_format(ab, " msg="); size = nlmsg_len(nlh); + if (size > 0 && + ((unsigned char *)data)[size - 1] == '\0') + size--; audit_log_n_untrustedstring(ab, size, data); } @@ -1425,7 +1428,7 @@ void audit_log_n_string(struct audit_buffer *ab, size_t slen, int audit_string_contains_control(const char *string, size_t len) { const unsigned char *p; - for (p = string; p < (const unsigned char *)string + len && *p; p++) { + for (p = string; p < (const unsigned char *)string + len; p++) { if (*p == '"' || *p < 0x21 || *p > 0x7f) return 1; }