When adding more formatted audit data to an skb for delivery to userspace,
the kernel will attempt to reuse an skb that has spare room. However, if
the audit message has already been fragmented to multiple skb's, the search
for spare room in the skb uses the head of the list. This will corrupt the
audit message with trailing bytes being placed midway through the stream.
Fix is to look at the end of the list.
Signed-off-by: Chris Wright <chrisw(a)osdl.org>
---
audit.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
kernel/audit.c: 4a697c73faec0b952d4b240e7c3fadef49313148
--- k/kernel/audit.c
+++ l/kernel/audit.c
@@ -486,7 +486,7 @@ static void audit_log_move(struct audit_
if (ab->len == 0)
return;
- skb = skb_peek(&ab->sklist);
+ skb = skb_peek_tail(&ab->sklist);
if (!skb || skb_tailroom(skb) <= ab->len + extra) {
skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
if (!skb) {
Show replies by date