Re: [patch 058/209] audit: rework execve audit
Hi,
I was testing our rawhide kernel and I'm scrolling these errors:
WARNING: at kernel/auditsc.c:859 audit_log_execve_info() (Not tainted)
Call Trace:
[<ffffffff8106b06f>] audit_log_exit+0x5d7/0x964
[<ffffffff81050805>] trace_hardirqs_on+0x12e/0x151
[<ffffffff8106b60b>] audit_syscall_exit+0x9b/0x300
[<ffffffff8100ee62>] syscall_trace_leave+0x2c/0x87
[<ffffffff8100beb1>] int_very_careful+0x3a/0x43
From: Peter Zijlstra <a.p.zijlstra(a)chello.nl>
diff -puN kernel/auditsc.c~audit-rework-execve-audit kernel/auditsc.c
--- a/kernel/auditsc.c~audit-rework-execve-audit
+++ a/kernel/auditsc.c
@@ -831,6 +831,55 @@ static int audit_log_pid_context(struct
return rc;
}
+static void audit_log_execve_info(struct audit_buffer *ab,
+ struct audit_aux_data_execve *axi)
+{
+ int i;
+ long len, ret;
+ const char __user *p = (const char __user *)axi->mm->arg_start;
+ char *buf;
+
+ if (axi->mm != current->mm)
+ return; /* execve failed, no additional info */
+
+ for (i = 0; i < axi->argc; i++, p += len) {
+ len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
+ /*
+ * We just created this mm, if we can't find the strings
+ * we just copied into it something is _very_ wrong. Similar
+ * for strings that are too long, we should not have created
+ * any.
+ */
+ if (!len || len > MAX_ARG_STRLEN) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ }
Which is right here ^^^
Any ideas?
-Steve