July 2018 - Linux-audit - Linux-Audit List Archives

[PATCH v3] audit: fix use-after-free in audit_add_watch

by Ronny Chevalier

audit_add_watch stores locally krule->watch without taking a reference on watch. Then, it calls audit_add_to_parent, and uses the watch stored locally. Unfortunately, it is possible that audit_add_to_parent updates krule->watch. When it happens, it also drops a reference of watch which could free the watch. How to reproduce (with KASAN enabled): auditctl -w /etc/passwd -F success=0 -k test_passwd auditctl -w /etc/passwd -F success=1 -k test_passwd2 The second call to auditctl triggers the use-after-free, because audit_to_parent updates krule->watch to use a previous existing watch and drops the reference to the newly created watch. To fix the issue, we grab a reference of watch and we release it at the end of the function. Signed-off-by: Ronny Chevalier <ronny.chevalier(a)hp.com> --- v3: - Move audit_get_watch before audit_get_nd since it is using it and call audit_put_watch if it fails. v2: - Move audit_get_watch before audit_find_parent. In the case of audit_get_nd failing. --- kernel/audit_watch.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 6f249bdf2d84..787c7afdf829 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -420,6 +420,13 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list) struct path parent_path; int h, ret = 0; + /* + * When we will be calling audit_add_to_parent, krule->watch might have + * been updated and watch might have been freed. + * So we need to keep a reference of watch. + */ + audit_get_watch(watch); + mutex_unlock(&audit_filter_mutex); /* Avoid calling path_lookup under audit_filter_mutex. */ @@ -428,8 +435,10 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list) /* caller expects mutex locked */ mutex_lock(&audit_filter_mutex); - if (ret) + if (ret) { + audit_put_watch(watch); return ret; + } /* either find an old parent or attach a new one */ parent = audit_find_parent(d_backing_inode(parent_path.dentry)); @@ -447,6 +456,7 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list) *list = &audit_inode_hash[h]; error: path_put(&parent_path); + audit_put_watch(watch); return ret; } -- 2.18.0

6 years, 5 months

3
2
0 / 0

[PATCH] audit: use ktime_get_coarse_real_ts64() for timestamps

by Paul Moore

Commit c72051d5778a ("audit: use ktime_get_coarse_ts64() for time access") converted audit's use of current_kernel_time64() to the new ktime_get_coarse_ts64() function. Unfortunately this resulted in incorrect timestamps, e.g. events stamped with the year 1969 despite it being 2018. This patch corrects this by using ktime_get_coarse_real_ts64() just like the current_kernel_time64() wrapper. Fixes: c72051d5778a ("audit: use ktime_get_coarse_ts64() for time access") Signed-off-by: Paul Moore <paul(a)paul-moore.com> --- kernel/audit.c | 2 +- kernel/auditsc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index e17bc697d11c..2a8058764aa6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1721,7 +1721,7 @@ static inline void audit_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_ts64(t); + ktime_get_coarse_real_ts64(t); *serial = audit_serial(); } } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index f6a0cb32d76e..fb207466e99b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1543,7 +1543,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, context->in_syscall = 1; context->current_state = state; context->ppid = 0; - ktime_get_coarse_ts64(&context->ctime); + ktime_get_coarse_real_ts64(&context->ctime); } /**

6 years, 5 months

2
1
0 / 0

[PATCH ghak59 V1 0/2] tree and watch rule log cleanups

by Richard Guy Briggs

Make some tree and watch rule logging cleanups before applying normalizations and record connections for ghak 59. See: https://github.com/linux-audit/audit-kernel/issues/50 Richard Guy Briggs (2): audit: tree: check audit_enabled audit: watch: simplify audit_enabled check kernel/audit_tree.c | 2 ++ kernel/audit_watch.c | 29 +++++++++++++++-------------- 2 files changed, 17 insertions(+), 14 deletions(-) -- 1.8.3.1

6 years, 5 months

2
6
0 / 0

stop

by Mauler, Gary [US] (MS)

I no longer want to receive emails

6 years, 5 months

2
1
0 / 0

[PATCH 0/6] audit: Fix various races when tagging and untagging mounts

by Jan Kara

Hello, this series addresses the problems I have identified when trying to understand how exactly is kernel/audit_tree.c using generic fsnotify framework. I hope I have understood all the interactions right but careful review is certainly welcome (CCing Al as he was the one implementing this code originally). The patches have been tested by a stress test I have written which mounts & unmounts filesystems in the directory tree while adding and removing audit rules for this tree in parallel and accessing the tree to generate events. Still some real-world testing would be welcome. Honza

6 years, 5 months

4
25
0 / 0

[PATCH v2] audit: fix use-after-free in audit_add_watch

by Ronny Chevalier

audit_add_watch stores locally krule->watch without taking a reference on watch. Then, it calls audit_add_to_parent, and uses the watch stored locally. Unfortunately, it is possible that audit_add_to_parent updates krule->watch. When it happens, it also drops a reference of watch which could free the watch. How to reproduce (with KASAN enabled): auditctl -w /etc/passwd -F success=0 -k test_passwd auditctl -w /etc/passwd -F success=1 -k test_passwd2 The second call to auditctl triggers the use-after-free, because audit_to_parent updates krule->watch to use a previous existing watch and drops the reference to the newly created watch. To fix the issue, we grab a reference of watch and we release it at the end of the function. Signed-off-by: Ronny Chevalier <ronny.chevalier(a)hp.com> --- v2: - Move audit_get_watch before audit_find_parent. In the case of audit_get_nd failing. --- kernel/audit_watch.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index f1ba88994508..6d9b3f2bb1e2 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -430,6 +430,14 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list) if (ret) return ret; + /* + * When we will be calling audit_add_to_parent, krule->watch might have + * been updated and watch might have been freed. + * So we need to keep a reference of watch. + */ + + audit_get_watch(watch); + /* either find an old parent or attach a new one */ parent = audit_find_parent(d_backing_inode(parent_path.dentry)); if (!parent) { @@ -446,6 +454,7 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list) *list = &audit_inode_hash[h]; error: path_put(&parent_path); + audit_put_watch(watch); return ret; } -- 2.17.1

6 years, 5 months

3
4
0 / 0

[PATCH] audit: use ktime_get_coarse_ts64() for time access

by Arnd Bergmann

The API got renamed for consistency with the other time accessors, this changes the audit caller as well. Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- kernel/audit.c | 2 +- kernel/auditsc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index e7478cb58079..3e34b9f03cfe 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1724,7 +1724,7 @@ static inline void audit_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - *t = current_kernel_time64(); + ktime_get_coarse_ts64(t); *serial = audit_serial(); } } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ceb1c4596c51..dbbf02f513a8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1540,10 +1540,10 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, context->argv[2] = a3; context->argv[3] = a4; context->serial = 0; - context->ctime = current_kernel_time64(); context->in_syscall = 1; context->current_state = state; context->ppid = 0; + ktime_get_coarse_ts64(&context->ctime); } /** -- 2.9.0

6 years, 5 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2018