Re: [PATCH 1/2] audit: fix NUL handling in untrusted strings
On Thu, 11 Sep 2008 00:23:38 +0200
Miloslav Trma__ <mitr(a)redhat.com> wrote:
audit_string_contains_control() stops checking at the first NUL
byte.
If audit_string_contains_control() returns FALSE,
audit_log_n_untrustedstring() submits the complete string - including
the NUL byte and all following bytes, up to the specified maximum length
- to audit_log_n_string(), which copies the data unchanged into the
audit record.
The audit record can thus contain a NUL byte (and some unchecked data
after that). Because the user-space audit daemon treats audit records
as NUL-terminated strings, an untrusted string that is shorter than the
specified maximum length effectively terminates the audit record.
This patch modifies audit_log_n_untrustedstring() to only log the data
before the first NUL byte, if any.
It's unclear how serious this problem is. Do you believe that it is
sufficiently serious to warrant merging these fixes into 2.6.27?
2.6.26.x? 2.6.25.x?
Thanks.