From: Paul Moore <paul@paul-moore.com>
To: Dominick Grift <dominick.grift@defensec.nl>,
bauen1 <j2468h@googlemail.com>,
rgb@redhat.com
Cc: linux-audit@redhat.com
Subject: Re: null pointer dereference regression in 5.7
Date: Tue, 21 Jul 2020 18:45:58 -0400 [thread overview]
Message-ID: <CAHC9VhTbMB==FaxwUDviw9D5-M6wUGnYwwHz7wCDMYSOUw07dA@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhRGJ4EwFYpRtoHe=m_GNB6WAt3cDCf7pd4YbvydEPpy3w@mail.gmail.com>
On Tue, Jul 21, 2020 at 6:30 PM Paul Moore <paul@paul-moore.com> wrote:
> Richard, you broke it, you bought it :) Did you want to take a closer
> look at this? If you can't let me know. Based on a quick look, my
> gut feeling is that either context->pwd is never set properly or it is
> getting free'd prematurely; I'm highly suspicious of the latter but
> the former seems like it might be a reasonable place to start.
Actually, yes, I'm pretty certain the problem is that context->pwd is
never set in this case.
Normally context->pwd would be set by a call to
audit_getname()/__audit_getname(), but if there audit context is a
dummy context, that is skipped and context->pwd is never set.
Normally that is fine, expect with Richard's patch if the kernel
explicitly calls audit_log_start() we mark the context as ... not a
dummy? smart? I'm not sure of the right term here ... which then
triggers all the usual logging one would expect. In this particular
case, a SELinux AVC, the audit_log_start() happens *after* the
pathname has been resolved and the audit_getname() calls are made;
thus in this case context->pwd is not valid when the normal audit
logging takes place on exit and things explode in predictable fashion.
Unfortunately, it is beginning to look like 1320a4052ea1 ("audit:
trigger accompanying records when no rules present") may be more
dangerous than initially thought. I'm borderline tempted to just
revert this patch, but I'll leave this open for discussion ...
Richard, I think you need to go through the code and audit all of the
functions that store data in an audit context that are skipped when
there is a dummy context to see which fields are potentially unset,
and then look at all the end of task/syscall code to make sure the
necessary set/unset checks are in place.
This should be a priority.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-07-21 22:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-18 18:40 null pointer dereference regression in 5.7 bauen1
2020-07-18 18:56 ` Dominick Grift
2020-07-21 22:30 ` Paul Moore
2020-07-21 22:45 ` Paul Moore [this message]
2020-07-21 23:09 ` Richard Guy Briggs
2020-07-22 2:01 ` Richard Guy Briggs
2020-07-23 1:01 ` Paul Moore
2020-07-23 12:56 ` Richard Guy Briggs
2020-07-24 19:10 ` Paul Moore
2020-07-22 19:47 ` Richard Guy Briggs
2020-07-22 20:04 ` Dominick Grift
2020-07-23 12:47 ` Richard Guy Briggs
2020-07-23 12:58 ` Dominick Grift
2020-07-23 13:10 ` bauen1
2020-07-23 20:00 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhTbMB==FaxwUDviw9D5-M6wUGnYwwHz7wCDMYSOUw07dA@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=dominick.grift@defensec.nl \
--cc=j2468h@googlemail.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).