On 2016-06-20 14:50, Pengfei Wang wrote: > Hello, > > I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I > was examining the source code, which I think is a bug. > > In function audit_log_single_execve_arg(), the whole argument is > fetched from user space twice via copy_from_user(). In the first loop, > it is firstly fetched (line 1038) to verify, aka looking for non-ascii > chars. While in the second loop, the whole argument is fetched again > (line 1105) from user space and used at line 1121 and line 1123 > respectively depends on the previous verification. > > However, a double fetch problem happens when the user space fetched > data is changed by a concurrently running user thread under race > condition during the verification and the usage, and the data > inconsistency will cause serious problems. In this case, the verified > non-ascii argument from the first loop is likely to be changed to an > ascii one (i.e. containing ‘ “ ’) which will be used in the second > loop. Then the argument is passed to audit_log_string() as none-ascii, > then move forward in audit_log_n_string() of file audit.c, the string > is enclosed with quote marks as well. Since the string contains > another quote mark in the middle, problems will happen when processing > the string based on quote mark, e.g. the string will be recognized as > a shorter one based on the middle quote mark. I believe other > consequences are also likely to be caused once the none control string > is treated as a control string, or vice versa, which is very likely to > happen under double fetch situations.
This function is only ever called by __audit_free(), which is only ever called on failure of task creation or on exit of the task, so in neither case can anything else change it. I don't think what you describe will ever happen. > I am looking forward to a reply to confirm this, thank you! > > Kind regards > > Pengfei - RGB -- Richard Guy Briggs <[email protected]> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
