• Richard Guy Briggs's avatar
    lsm: copy comm before calling audit_log to avoid race in string printing · 5deeb5ce
    Richard Guy Briggs authored
    When task->comm is passed directly to audit_log_untrustedstring() without
    getting a copy or using the task_lock, there is a race that could happen that
    would output a NULL (\0) in the middle of the output string that would
    effectively truncate the rest of the report text after the comm= field in the
    audit log message, losing fields.
    
    Using get_task_comm() to get a copy while acquiring the task_lock to prevent
    this and to prevent the result from being a mixture of old and new values of
    comm would incur potentially unacceptable overhead, considering that the value
    can be influenced by userspace and therefore untrusted anyways.
    
    Copy the value before passing it to audit_log_untrustedstring() ensures that a
    local copy is used to calculate the length *and* subsequently printed.  Even if
    this value contains a mix of old and new values, it will only calculate and
    copy up to the first NULL, preventing the rest of the audit log message being
    truncated.
    
    Use a second local copy of comm to avoid a race between the first and second
    calls to audit_log_untrustedstring() with comm.
    Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    5deeb5ce
lsm_audit.c 9.52 KB