Re: audit-0.6.2 released
Stephen Smalley wrote:
>Sort of. It fixes the one you saw. However, the corruption Peter
was chasing
>is probably not related. This was a userspace fix. I think there is a
>separate kernel side one that's been discussed in the SE Linux mail list.
Yes, we saw corruption in the SELinux avc messages prior to any use of
auditd at all, when everything was still being handled by klogd.
This is my guess though line 356 and 372 in audit.c looks suspicious.
audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
" length=%d msg='%.1024s'",
pid, uid,
login->loginuid,
login->msglen,
login->msg);
It assumes msg is C string but guess if it is not. It tries to print 1024 byes
in worst case. It is probably safer change this line to:
audit_log_format(ab, "login pid=%d uid=%d loginuid=%d"
" length=%d msg='%.*s'",
pid, uid,
login->loginuid,
login->msglen,
login->msglen,
login->msg);
It won't be overhead since either way it passes length.
I noticed it a while back ago but didn't report it 'cuz I'm not 100%
sure if msg string null termination is always guaranteed or not.
If so then there could be some other kernel thread is stomping its tail...
Hope this helps.
-- Junji