Re: [RFC PATCH] audit: correctly record file names with different path name types

Tue, 02 Dec 2014 04:23:09 -0800 

On 2014/12/2 5:27, Paul Moore wrote:
> ---
>  kernel/auditsc.c |   14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 21eae3c..ff99c05 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1886,12 +1886,18 @@ void __audit_inode(struct filename *name, const 
> struct dentry *dentry,
>       }
>  
>  out_alloc:
> -     /* unable to find the name from a previous getname(). Allocate a new
> -      * anonymous entry.
> -      */
> -     n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
> +     /* unable to find an entry with both a matching name and type */
> +     n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
>       if (!n)
>               return;
> +     if (name)
> +             /* since name is not NULL we know there is already a matching
> +              * name record, see audit_getname(), so there must be a type
> +              * mismatch; reuse the string path since the original name
> +              * record will keep the string valid until we free it in
> +              * audit_free_names() */
> +             n->name = name;
> +
>  out:
>       if (parent) {
>               n->name_len = n->name ? parent_len(n->name->name) : 
> AUDIT_NAME_FULL;
> 
> 
> .
> 

Hi Paul,

Thanks for your work~! But I'm sorry to say I've tested this patch with
a kernel 3.10.53 and met a panic while booting. I think it's caused by
this patch.

Could you please take some time to look at this? Did I do something
wrong?


Thanks~!

Hu


INIT: Entering runlevel: 3
Starting OpenBSD Secure Shell server: sshd
done.
Starting audit daemon auditd
[   25.257694] type=1305 audit(1417530900.169:2): audit_pid=1348 old=0 
auid=4294967295 ses=4294967295
[   25.257694]  res=1
Starting domain name service: namedwrote key file "/etc/bind/rndc.key"
.
hwclock: can't open '/dev/misc/rtc': No such file or directory
Starting ntpd: done
Starting syslog-ng:[   25.623155] Unable to handle kernel NULL pointer 
dereference at virtual address 00000001
[   25.631287] pgd = c5a1c000
[   25.633994] [00000001] *pgd=85880831, *pte=00000000, *ppte=00000000
[   25.640295] Internal error: Oops: 17 [#1] SMP ARM
[   25.644993] Modules linked in: ipv6
[   25.648507] CPU: 0 PID: 1375 Comm: syslog-ng Not tainted 3.10.53 #1
[   25.655286] task: ef34ac00 ti: c5ae6000 task.ti: c5ae6000
[   25.660681] PC is at strlen+0xc/0x20
[   25.664264] LR is at audit_compare_dname_path+0x20/0x68
[   25.669484] pc : [<c01906f0>]    lr : [<c007fe30>]    psr: 600f0013
[   25.669484] sp : c5ae7e58  ip : 00000000  fp : ef349c44
[   25.680944] r10: 0000c1ed  r9 : ef26c1a8  r8 : ee74ef0c
[   25.686162] r7 : ee74eee0  r6 : 00000003  r5 : 00000001  r4 : 00000005
[   25.692679] r3 : 00000002  r2 : 00000001  r1 : 00000000  r0 : 00000001
[   25.699198] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   25.706323] Control: 18c53c7d  Table: 85a1c04a  DAC: 00000015
[   25.712061] Process syslog-ng (pid: 1375, stack limit = 0xc5ae6238)
[   25.718319] Stack: (0xc5ae7e58 to 0xc5ae8000)
[   25.722672] 7e40:                                                       
ef349c00 00000000
[   25.730841] 7e60: ef349dd8 ee74eee0 ee74ef0c c0080504 ef26c1a8 00000004 
00000004 ef26c1a8
[   25.739009] 7e80: c5815680 ee74eee0 0000c1ed 00000000 00000001 0000c1ed 
0000000b c00fa2c4
[   25.747178] 7ea0: ef26c1a8 ee74eee0 dd79fc00 c5815680 00000000 ee74eee0 
c581581c c02b6550
[   25.755346] 7ec0: c5bfd015 c5bfd010 00000000 c048e000 ef26c1a8 00000001 
00000002 c5ae6000
[   25.763514] 7ee0: dd9b96d0 ee71ac38 c5ae7f18 eec45800 0000000b 01357070 
0000011a c000e1e4
[   25.771682] 7f00: c5ae6000 00000200 00000000 c022fcf4 00000000 00000000 
642f0001 6c2f7665
[   25.779850] 7f20: 0000676f dd7eb400 ef34ac00 c04a6270 c5ae7f48 c04a6368 
00000001 c0081d14
[   25.788016] 7f40: c5ae7f48 000000c3 ef349c00 ef349c00 00000001 0000011a 
ef349c00 00000001
[   25.796183] 7f60: c5ae7f68 c0082108 547dce14 202fbeff 00000008 c5ae7f88 
c5ae6000 0000011a
[   25.804351] 7f80: 0000011a c001037c 0000000b 01357060 0000000b 01357060 
01357060 00000008
[   25.812520] 7fa0: beaf8a2c c000e1c8 01357060 00000008 00000008 01357070 
0000000b 01357060
[   25.820687] 7fc0: 01357060 00000008 beaf8a2c 0000011a 01350ba8 00000000 
4fa97000 00000000
[   25.828855] 7fe0: b6d8e870 beaf88ec b6f43ee0 b6d8e87c 600f0010 00000008 
af7fd821 af7fdc21
[   25.837031] [<c01906f0>] (strlen+0xc/0x20) from [<c007fe30>] 
(audit_compare_dname_path+0x20/0x68)
[   25.845899] [<c007fe30>] (audit_compare_dname_path+0x20/0x68) from 
[<c0080504>] (__audit_inode_child+0x124/0x26c)
[   25.856153] [<c0080504>] (__audit_inode_child+0x124/0x26c) from [<c00fa2c4>] 
(vfs_mknod+0x138/0x158)
[   25.865285] [<c00fa2c4>] (vfs_mknod+0x138/0x158) from [<c02b6550>] 
(unix_bind+0x114/0x2b8)
[   25.873552] [<c02b6550>] (unix_bind+0x114/0x2b8) from [<c022fcf4>] 
(SyS_bind+0x5c/0x80)
[   25.881556] [<c022fcf4>] (SyS_bind+0x5c/0x80) from [<c000e1c8>] 
(__sys_trace_return+0x0/0x18)
[   25.890072] Code: c02f1948 e1a03000 e1a02003 e2833001 (e5d21000)
[   25.896176] ---[ end trace 2f04133705b763f6 ]---
[   25.900790] Kernel panic - not syncing: Fatal exception

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to