Re: [PATCH] Reporting file descriptors and exec args
On Tue, Sep 12, 2006 at 04:49:47PM -0400, John D. Ramsdell wrote:
+static const char *elide(const char *str)
+{
+ static char buf[1025];
+
+ if (strnlen(str, 1025) >= 1025) {
+ memcpy(buf, str, 1021);
+ buf[1021] = '.';
+ buf[1022] = '.';
+ buf[1023] = '.';
+ buf[1024] = '\0';
+ return buf;
+ }
+
+ return str;
+}
... serialized by...?
static void audit_log_exit(struct audit_context *context, gfp_t
gfp_mask)
{
int i;
@@ -820,6 +851,16 @@ static void audit_log_exit(struct audit_
audit_log_format(ab, " success=%s exit=%ld",
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
context->return_code);
+
+ switch (context->major) {
+ case __NR_open:
+ audit_log_format(ab, " filename=");
+ audit_log_untrustedstring(ab,
+ elide((const char *)context->argv[0]));
Oh, lovely. So let me see if I've got it right - now anybody can trigger
reading from any location in kernel memory. Including iomem. Or not mapped
address range - less interesting (oops instead of mangling hardware), but
easier to guess.
BTW, you still have problem with __NR_open on biarch targets...