Re: [RFC][PATCH 3/3] audit: Audit proc cmdline value
I can't comment on the concept, but have one nit.
On Mon, Jan 06, 2014 at 07:30:30AM -0800, William Roberts wrote:
+static void audit_log_cmdline(struct audit_buffer *ab, struct
task_struct *tsk,
+ struct audit_context *context)
+{
+ int res;
+ char *buf;
+ char *msg = "(null)";
+ audit_log_format(ab, " cmdline=");
+
+ /* Not cached */
+ if (!context->cmdline) {
+ buf = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!buf)
+ goto out;
+ res = get_cmdline(tsk, buf, PATH_MAX);
+ /* Ensure NULL terminated */
+ if (buf[res-1] != '\0')
+ buf[res-1] = '\0';
This accesses memory below the buffer if get_cmdline returned 0, which I
believe will be the case when someone jokingly unmaps the area (all
maybe when it is swapped out but can't be swapped in due to I/O errors).
Also since you are just putting 0 in there anyway I don't see much point
in testing for it.
+ context->cmdline = buf;
+ }
+ msg = context->cmdline;
+out:
+ audit_log_untrustedstring(ab, msg);
+}
+
--
Mateusz Guzik