ASAN still reports a one-byte read underrun in path_norm() from libauparse
by Bogdan Harjoc
Hello,
the function path_norm() from libauparse.so in audit-4.1.1 still reads one
byte below the allocated "working" buffer and triggers AddressSanitizer and
valgrind reports for inputs like "a/../.." or "a/.././..".
Attached is a test that produces the asan report.
Process paths like these were generated when processing audit syscall
events for clone and probably others.
Most of the read underruns in path_norm() were fixed in 2025 and the issue
mentioned above is apparently the only one remaining in that code.
Would replacing the while loop with the code below ensure that path_norm
does not read below the "working" buffer ?
- while (dest > rpath && (--dest)[-1] != '/');
+ char *slash = (char *)memrchr(rpath, '/', dest - rpath);
+ if (slash)
+ dest = (slash == rpath) ? (rpath + 1) : slash;
+ else
+ dest = rpath;
Regards,
Bogdan Harjoc
1 week, 3 days
[PATCH v2] audit: record fanotify event regardless of presence of rules
by Richard Guy Briggs
When no audit rules are in place, fanotify event results are
unconditionally dropped due to an explicit check for the existence of
any audit rules. Given this is a report from another security
sub-system, allow it to be recorded regardless of the existence of any
audit rules.
To test, install and run the fapolicyd daemon with default config. Then
as an unprivileged user, create and run a very simple binary that should
be denied. Then check for an event with
ausearch -m FANOTIFY -ts recent
Link: https://issues.redhat.com/browse/RHEL-9065
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
changelog:
v2
- re-add audit_enabled check
---
include/linux/audit.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index a394614ccd0b..e3f06eba9c6e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -527,7 +527,7 @@ static inline void audit_log_kern_module(const char *name)
static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
{
- if (!audit_dummy_context())
+ if (audit_enabled)
__audit_fanotify(response, friar);
}
--
2.43.5
1 week, 4 days
[PATCH v1 0/2] override audit silence norule for fs cases
by Richard Guy Briggs
The audit subsystem normally suppresses output when there are no rules
present to avoid overwhelming the user with unwanted messages. It could
be argued that another security subsystem would generally want to
override that default. Allow them through for fsnotify and filesystem
security violations.
Richard Guy Briggs (2):
audit: record fanotify event regardless of presence of rules
audit: record AUDIT_ANOM_* events regardless of presence of rules
include/linux/audit.h | 8 +-------
kernel/audit.c | 2 +-
kernel/auditsc.c | 2 +-
3 files changed, 3 insertions(+), 9 deletions(-)
--
2.43.5
2 weeks, 2 days