Commit c32c8af4 authored by Al Viro's avatar Al Viro

sanitize AUDIT_MQ_SENDRECV

* logging the original value of *msg_prio in mq_timedreceive(2)
  is insane - the argument is write-only (i.e. syscall always
  ignores the original value and only overwrites it).
* merge __audit_mq_timed{send,receive}
* don't do copy_from_user() twice
* don't mess with allocations in auditsc part
* ... and don't bother checking !audit_enabled and !context in there -
  we'd already checked for audit_dummy_context().
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 20114f71
...@@ -451,8 +451,7 @@ extern int audit_sockaddr(int len, void *addr); ...@@ -451,8 +451,7 @@ extern int audit_sockaddr(int len, void *addr);
extern int __audit_fd_pair(int fd1, int fd2); extern int __audit_fd_pair(int fd1, int fd2);
extern int audit_set_macxattr(const char *name); extern int audit_set_macxattr(const char *name);
extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr); extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr);
extern int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout); extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
extern int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout);
extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
...@@ -482,17 +481,10 @@ static inline int audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u ...@@ -482,17 +481,10 @@ static inline int audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u
return __audit_mq_open(oflag, mode, u_attr); return __audit_mq_open(oflag, mode, u_attr);
return 0; return 0;
} }
static inline int audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout) static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
{ {
if (unlikely(!audit_dummy_context())) if (unlikely(!audit_dummy_context()))
return __audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout); __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
return 0;
}
static inline int audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout)
{
if (unlikely(!audit_dummy_context()))
return __audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);
return 0;
} }
static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
{ {
...@@ -550,8 +542,7 @@ extern int audit_signals; ...@@ -550,8 +542,7 @@ extern int audit_signals;
#define audit_sockaddr(len, addr) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; })
#define audit_set_macxattr(n) do { ; } while (0) #define audit_set_macxattr(n) do { ; } while (0)
#define audit_mq_open(o,m,a) ({ 0; }) #define audit_mq_open(o,m,a) ({ 0; })
#define audit_mq_timedsend(d,l,p,t) ({ 0; }) #define audit_mq_sendrecv(d,l,p,t) ((void)0)
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
#define audit_mq_notify(d,n) ((void)0) #define audit_mq_notify(d,n) ((void)0)
#define audit_mq_getsetattr(d,s) ((void)0) #define audit_mq_getsetattr(d,s) ((void)0)
#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })
......
...@@ -524,31 +524,27 @@ static void __do_notify(struct mqueue_inode_info *info) ...@@ -524,31 +524,27 @@ static void __do_notify(struct mqueue_inode_info *info)
wake_up(&info->wait_q); wake_up(&info->wait_q);
} }
static long prepare_timeout(const struct timespec __user *u_arg) static long prepare_timeout(struct timespec *p)
{ {
struct timespec ts, nowts; struct timespec nowts;
long timeout; long timeout;
if (u_arg) { if (p) {
if (unlikely(copy_from_user(&ts, u_arg, if (unlikely(p->tv_nsec < 0 || p->tv_sec < 0
sizeof(struct timespec)))) || p->tv_nsec >= NSEC_PER_SEC))
return -EFAULT;
if (unlikely(ts.tv_nsec < 0 || ts.tv_sec < 0
|| ts.tv_nsec >= NSEC_PER_SEC))
return -EINVAL; return -EINVAL;
nowts = CURRENT_TIME; nowts = CURRENT_TIME;
/* first subtract as jiffies can't be too big */ /* first subtract as jiffies can't be too big */
ts.tv_sec -= nowts.tv_sec; p->tv_sec -= nowts.tv_sec;
if (ts.tv_nsec < nowts.tv_nsec) { if (p->tv_nsec < nowts.tv_nsec) {
ts.tv_nsec += NSEC_PER_SEC; p->tv_nsec += NSEC_PER_SEC;
ts.tv_sec--; p->tv_sec--;
} }
ts.tv_nsec -= nowts.tv_nsec; p->tv_nsec -= nowts.tv_nsec;
if (ts.tv_sec < 0) if (p->tv_sec < 0)
return 0; return 0;
timeout = timespec_to_jiffies(&ts) + 1; timeout = timespec_to_jiffies(p) + 1;
} else } else
return MAX_SCHEDULE_TIMEOUT; return MAX_SCHEDULE_TIMEOUT;
...@@ -829,17 +825,22 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, ...@@ -829,17 +825,22 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
struct ext_wait_queue *receiver; struct ext_wait_queue *receiver;
struct msg_msg *msg_ptr; struct msg_msg *msg_ptr;
struct mqueue_inode_info *info; struct mqueue_inode_info *info;
struct timespec ts, *p = NULL;
long timeout; long timeout;
int ret; int ret;
ret = audit_mq_timedsend(mqdes, msg_len, msg_prio, u_abs_timeout); if (u_abs_timeout) {
if (ret != 0) if (copy_from_user(&ts, u_abs_timeout,
return ret; sizeof(struct timespec)))
return -EFAULT;
p = &ts;
}
if (unlikely(msg_prio >= (unsigned long) MQ_PRIO_MAX)) if (unlikely(msg_prio >= (unsigned long) MQ_PRIO_MAX))
return -EINVAL; return -EINVAL;
timeout = prepare_timeout(u_abs_timeout); audit_mq_sendrecv(mqdes, msg_len, msg_prio, p);
timeout = prepare_timeout(p);
ret = -EBADF; ret = -EBADF;
filp = fget(mqdes); filp = fget(mqdes);
...@@ -918,12 +919,17 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, ...@@ -918,12 +919,17 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr,
struct inode *inode; struct inode *inode;
struct mqueue_inode_info *info; struct mqueue_inode_info *info;
struct ext_wait_queue wait; struct ext_wait_queue wait;
struct timespec ts, *p = NULL;
ret = audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout); if (u_abs_timeout) {
if (ret != 0) if (copy_from_user(&ts, u_abs_timeout,
return ret; sizeof(struct timespec)))
return -EFAULT;
p = &ts;
}
timeout = prepare_timeout(u_abs_timeout); audit_mq_sendrecv(mqdes, msg_len, 0, p);
timeout = prepare_timeout(p);
ret = -EBADF; ret = -EBADF;
filp = fget(mqdes); filp = fget(mqdes);
......
...@@ -131,14 +131,6 @@ struct audit_aux_data_mq_open { ...@@ -131,14 +131,6 @@ struct audit_aux_data_mq_open {
struct mq_attr attr; struct mq_attr attr;
}; };
struct audit_aux_data_mq_sendrecv {
struct audit_aux_data d;
mqd_t mqdes;
size_t msg_len;
unsigned int msg_prio;
struct timespec abs_timeout;
};
struct audit_aux_data_execve { struct audit_aux_data_execve {
struct audit_aux_data d; struct audit_aux_data d;
int argc; int argc;
...@@ -244,6 +236,12 @@ struct audit_context { ...@@ -244,6 +236,12 @@ struct audit_context {
mqd_t mqdes; mqd_t mqdes;
int sigev_signo; int sigev_signo;
} mq_notify; } mq_notify;
struct {
mqd_t mqdes;
size_t msg_len;
unsigned int msg_prio;
struct timespec abs_timeout;
} mq_sendrecv;
}; };
#if AUDIT_DEBUG #if AUDIT_DEBUG
...@@ -1265,6 +1263,16 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1265,6 +1263,16 @@ static void show_special(struct audit_context *context, int *call_panic)
return; return;
} }
break; } break; }
case AUDIT_MQ_SENDRECV: {
audit_log_format(ab,
"mqdes=%d msg_len=%zd msg_prio=%u "
"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
context->mq_sendrecv.mqdes,
context->mq_sendrecv.msg_len,
context->mq_sendrecv.msg_prio,
context->mq_sendrecv.abs_timeout.tv_sec,
context->mq_sendrecv.abs_timeout.tv_nsec);
break; }
case AUDIT_MQ_NOTIFY: { case AUDIT_MQ_NOTIFY: {
audit_log_format(ab, "mqdes=%d sigev_signo=%d", audit_log_format(ab, "mqdes=%d sigev_signo=%d",
context->mq_notify.mqdes, context->mq_notify.mqdes,
...@@ -1370,15 +1378,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts ...@@ -1370,15 +1378,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
axi->attr.mq_curmsgs); axi->attr.mq_curmsgs);
break; } break; }
case AUDIT_MQ_SENDRECV: {
struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
audit_log_format(ab,
"mqdes=%d msg_len=%zd msg_prio=%u "
"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
axi->mqdes, axi->msg_len, axi->msg_prio,
axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
break; }
case AUDIT_EXECVE: { case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux; struct audit_aux_data_execve *axi = (void *)aux;
audit_log_execve_info(context, &ab, axi); audit_log_execve_info(context, &ab, axi);
...@@ -2171,97 +2170,29 @@ int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) ...@@ -2171,97 +2170,29 @@ int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
} }
/** /**
* __audit_mq_timedsend - record audit data for a POSIX MQ timed send * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
* @mqdes: MQ descriptor * @mqdes: MQ descriptor
* @msg_len: Message length * @msg_len: Message length
* @msg_prio: Message priority * @msg_prio: Message priority
* @u_abs_timeout: Message timeout in absolute time * @abs_timeout: Message timeout in absolute time
* *
* Returns 0 for success or NULL context or < 0 on error.
*/ */
int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
const struct timespec __user *u_abs_timeout) const struct timespec *abs_timeout)
{ {
struct audit_aux_data_mq_sendrecv *ax;
struct audit_context *context = current->audit_context; struct audit_context *context = current->audit_context;
struct timespec *p = &context->mq_sendrecv.abs_timeout;
if (!audit_enabled) if (abs_timeout)
return 0; memcpy(p, abs_timeout, sizeof(struct timespec));
else
if (likely(!context)) memset(p, 0, sizeof(struct timespec));
return 0;
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
if (!ax)
return -ENOMEM;
if (u_abs_timeout != NULL) {
if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
kfree(ax);
return -EFAULT;
}
} else
memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
ax->mqdes = mqdes;
ax->msg_len = msg_len;
ax->msg_prio = msg_prio;
ax->d.type = AUDIT_MQ_SENDRECV;
ax->d.next = context->aux;
context->aux = (void *)ax;
return 0;
}
/**
* __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive
* @mqdes: MQ descriptor
* @msg_len: Message length
* @u_msg_prio: Message priority
* @u_abs_timeout: Message timeout in absolute time
*
* Returns 0 for success or NULL context or < 0 on error.
*/
int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,
unsigned int __user *u_msg_prio,
const struct timespec __user *u_abs_timeout)
{
struct audit_aux_data_mq_sendrecv *ax;
struct audit_context *context = current->audit_context;
if (!audit_enabled)
return 0;
if (likely(!context))
return 0;
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
if (!ax)
return -ENOMEM;
if (u_msg_prio != NULL) {
if (get_user(ax->msg_prio, u_msg_prio)) {
kfree(ax);
return -EFAULT;
}
} else
ax->msg_prio = 0;
if (u_abs_timeout != NULL) {
if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
kfree(ax);
return -EFAULT;
}
} else
memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
ax->mqdes = mqdes; context->mq_sendrecv.mqdes = mqdes;
ax->msg_len = msg_len; context->mq_sendrecv.msg_len = msg_len;
context->mq_sendrecv.msg_prio = msg_prio;
ax->d.type = AUDIT_MQ_SENDRECV; context->type = AUDIT_MQ_SENDRECV;
ax->d.next = context->aux;
context->aux = (void *)ax;
return 0;
} }
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment