From mboxrd@z Thu Jan 1 00:00:00 1970 From: Muhammad Adil Inam <20100180@lums.edu.pk> Subject: Query - System Calls Arguments in Linux Audit Kernel Date: Tue, 6 Aug 2019 13:28:58 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6702435343831292461==" Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 000A719C78 for ; Tue, 6 Aug 2019 13:29:04 +0000 (UTC) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30083.outbound.protection.outlook.com [40.107.3.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A3A4552151 for ; Tue, 6 Aug 2019 13:29:00 +0000 (UTC) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" Cc: Ali Ahad <20100284@lums.edu.pk> List-Id: linux-audit@redhat.com --===============6702435343831292461== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_DB7PR07MB60579436984C50BB515349C898D50DB7PR07MB6057eurp_" --_000_DB7PR07MB60579436984C50BB515349C898D50DB7PR07MB6057eurp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To whom it may concern, Hi, I am a CS research assistant currently working at Lahore Univers= ity of Management Sciences (LUMS), Pakistan. The project I am working on in= volves understanding and working with the Linux Audit Kernel. As you know, linux-audit logs all the syscall arguments as a1, a2, a3, a4 a= s unsigned longs. In the case of some syscall, such as WRITE, the second ar= gument, a2, stores the pointer to a buffer, where the buffer contains the c= ontent being written. I have been trying to deference the buffer from its a= ddress stored in a2. I am dereferencing the buffer currently in kernel/audi= tsc.c and dumping the dereferenced contents of a2 to printk. However, after= building the customized kernel, auditd fails probably due to invalid point= er dereferencing. I am confused regarding the scope of that pointer variable = stored in a2. I have two questions: 1) Is it possible to deference the syscall arguments in the Linux kernel, g= iven the buffer was initially sent by the process that initiated the syscal= l? 2) If it is possible to do so, what is the right way to go about it. What i= s the right file to work if the goal is to dereference the address stored i= n one of the SYSCALL arguments? Really looking forward to hearing back from you. Best Regards, Adil --_000_DB7PR07MB60579436984C50BB515349C898D50DB7PR07MB6057eurp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

To whom it may concern,

Hi,  

        = ;   I am a CS research assistant currently wor= king at Lahore University of Management Sciences (LUMS), Pakistan. The project I am working on involves understanding and working w= ith the Linux Audit Kernel.

As you know, linux-audit logs a= ll the syscall arguments as a1, a2, a3, a4 as unsigned longs. In the case o= f some syscall, such as WRITE, the second argument, a2, stores the pointer to a buffer, where the buffer contains the content = being written. I have been trying to deference the buffer from its address = stored in a2. I am dereferencing the buffer currently in kernel/auditsc.c a= nd dumping the dereferenced contents of a2 to printk. However, after building the customized kernel, auditd fai= ls probably due to invalid pointer dereferencing.

        = ;        I am confused regarding the scope of that = pointer variable stored in a2. I have two questions:


1) Is it possible to = deference the syscall arguments in the Linux kernel, given the buffer was i= nitially sent by the process that initiated the syscall?

2) If it is possible to do s= o, what is the right way to go about it. What is the right file to work if = the goal is to dereference the address stored in one of the SYSCALL arguments?

Really looking forward to heari= ng back from you.

Best Regards,

Adil


--_000_DB7PR07MB60579436984C50BB515349C898D50DB7PR07MB6057eurp_-- --===============6702435343831292461== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6702435343831292461==--