Sophie: kernel-2.6.18-128.29.1.el5 src

kernel-2.6.18-128.29.1.el5.src.rpm

From: Miloslav Trmač <mitr@redhat.com>
Date: Tue, 16 Sep 2008 11:31:16 +0000
Subject: [audit] fix NUL handling in TTY input auditing
Message-id: 1221564676.2728.38.camel@amilo
O-Subject: [RHEL5.3 PATCH] Fix NUL handling in TTY input auditing
Bugzilla: 462441
RH-Acked-by: Eric Paris <eparis@redhat.com>

bz#462441, a correction to #244135
https://bugzilla.redhat.com/show_bug.cgi?id=462441
https://bugzilla.redhat.com/show_bug.cgi?id=244135

The patch for TTY input auditing submitted for 5.3 does not handle NUL
characters in TTY input (can be created e.g. by pressing Ctrl-2) nor NUL
characters in AUDIT_USER_TTY audit records (which can be sent from
shells and other unconfined processes run by root).  This patch:
     1. Logs all TTY input using the hexadecimal encoding.  The data can
        reasonably contain NUL characters, so it is not a "string" (in
        the C universe).
     2. Modifies audit_n_untrustedstring() to tread NULs in strings as
        untrusted characters, not as terminators.  This affects only
        AUDIT_USER_TTY.
     3. Modifies AUDIT_USER_TTY handler to strip a trailing NUL byte
        sent form user-space, if present.

Tested on i686 in qemu (tried USER_TTY with and without NUL, and
AUDIT_USER_TTY).

Upstream status: Sent upstream, discussed with upstream kernel audit
maintainers, not in the subsystem tree (nor mainline) yet.

diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c
index 3619cf9..f894b65 100644
--- a/drivers/char/tty_audit.c
+++ b/drivers/char/tty_audit.c
@@ -91,7 +91,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
 		get_task_comm(name, tsk);
 		audit_log_untrustedstring(ab, name);
 		audit_log_format(ab, " data=");
-		audit_log_n_untrustedstring(ab, buf->valid, buf->data);
+		audit_log_hex(ab, buf->data, buf->valid);
 		audit_log_end(ab);
 	}
 	buf->valid = 0;
diff --git a/kernel/audit.c b/kernel/audit.c
index d571115..b81717c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -759,6 +759,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 
 					audit_log_format(ab, " msg=");
 					size = nlmsg_len(nlh);
+					if (size > 0 &&
+					    ((unsigned char *)data)[size - 1] == '\0')
+						size--;
 					audit_log_n_untrustedstring(ab, size,
 								    data);
 				}
@@ -1425,7 +1428,7 @@ void audit_log_n_string(struct audit_buffer *ab, size_t slen,
 int audit_string_contains_control(const char *string, size_t len)
 {
 	const unsigned char *p;
-	for (p = string; p < (const unsigned char *)string + len && *p; p++) {
+	for (p = string; p < (const unsigned char *)string + len; p++) {
 		if (*p == '"' || *p < 0x21 || *p > 0x7f)
 			return 1;
 	}