linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* [PATCH] revert: 1320a4052ea1 ("audit: trigger accompanying records when no rules present")
@ 2020-07-28 21:09 Paul Moore
  2020-07-29 14:05 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2020-07-28 21:09 UTC (permalink / raw)
  To: linux-audit

Unfortunately the commit listed in the subject line above failed
to ensure that the task's audit_context was properly initialized/set
before enabling the "accompanying records".  Depending on the
sitation, the resulting audit_context could have invalid values in
some of it's fields which could cause a kernel panic/oops when the
task/syscall exists and the audit records are generated.

We will revisit the original patch, with the necessary fixes, in a
future kernel but right now we just want to fix the kernel panic
with the least amount of added risk.

Cc: stable@vger.kernel.org
Fixes: 1320a4052ea1 ("audit: trigger accompanying records when no rules present")
Reported-by: j2468h@googlemail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 kernel/audit.c   |    1 -
 kernel/audit.h   |    8 --------
 kernel/auditsc.c |    3 +++
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index e33460e01b3b..9bf2b08b051f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1848,7 +1848,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 	}
 
 	audit_get_stamp(ab->ctx, &t, &serial);
-	audit_clear_dummy(ab->ctx);
 	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
 			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
 
diff --git a/kernel/audit.h b/kernel/audit.h
index f0233dc40b17..ddc22878433d 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -290,13 +290,6 @@ extern int audit_signal_info_syscall(struct task_struct *t);
 extern void audit_filter_inodes(struct task_struct *tsk,
 				struct audit_context *ctx);
 extern struct list_head *audit_killed_trees(void);
-
-static inline void audit_clear_dummy(struct audit_context *ctx)
-{
-	if (ctx)
-		ctx->dummy = 0;
-}
-
 #else /* CONFIG_AUDITSYSCALL */
 #define auditsc_get_stamp(c, t, s) 0
 #define audit_put_watch(w) {}
@@ -330,7 +323,6 @@ static inline int audit_signal_info_syscall(struct task_struct *t)
 }
 
 #define audit_filter_inodes(t, c) AUDIT_DISABLED
-#define audit_clear_dummy(c) {}
 #endif /* CONFIG_AUDITSYSCALL */
 
 extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 468a23390457..fd840c40abf7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1417,6 +1417,9 @@ static void audit_log_proctitle(void)
 	struct audit_context *context = audit_context();
 	struct audit_buffer *ab;
 
+	if (!context || context->dummy)
+		return;
+
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
 	if (!ab)
 		return;	/* audit_panic or being filtered */

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] revert: 1320a4052ea1 ("audit: trigger accompanying records when no rules present")
  2020-07-28 21:09 [PATCH] revert: 1320a4052ea1 ("audit: trigger accompanying records when no rules present") Paul Moore
@ 2020-07-29 14:05 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2020-07-29 14:05 UTC (permalink / raw)
  To: linux-audit

On Tue, Jul 28, 2020 at 5:09 PM Paul Moore <paul@paul-moore.com> wrote:
>
> Unfortunately the commit listed in the subject line above failed
> to ensure that the task's audit_context was properly initialized/set
> before enabling the "accompanying records".  Depending on the
> sitation, the resulting audit_context could have invalid values in
> some of it's fields which could cause a kernel panic/oops when the
> task/syscall exists and the audit records are generated.
>
> We will revisit the original patch, with the necessary fixes, in a
> future kernel but right now we just want to fix the kernel panic
> with the least amount of added risk.
>
> Cc: stable@vger.kernel.org
> Fixes: 1320a4052ea1 ("audit: trigger accompanying records when no rules present")
> Reported-by: j2468h@googlemail.com
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c   |    1 -
>  kernel/audit.h   |    8 --------
>  kernel/auditsc.c |    3 +++
>  3 files changed, 3 insertions(+), 9 deletions(-)

William pointed out a misspelling in the patch description above,
which I just fixed.  Unfortunately I had already pushed the patch to
audit/stable-5.8 so I did a force-push to correct the spelling;
normally I wouldn't do something like that for such a trivial matter,
but since it is unlikely anyone is based of the audit/stable-5.8
branch this seemed like an okay time to do that.

I'll be sending a PR to Linus shortly.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-29 14:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 21:09 [PATCH] revert: 1320a4052ea1 ("audit: trigger accompanying records when no rules present") Paul Moore
2020-07-29 14:05 ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).