> 在 2016年6月20日,下午8:18,Oleg Nesterov <[email protected]> 写道:
>
> Not that I understand this report, but
>
> On 06/20, Richard Guy Briggs wrote:
>>
>> This function is only ever called by __audit_free(), which is only ever
>> called on failure of task creation or on exit of the task, so in neither
>> case can anything else change it.
>
> How so?
>
> Another thread or CLONE_VM task or /proc/pid/mem can change the user-space
> memory in parallel.
>
> Oleg.
Exactly, by saying “change the data”, I mean the modification from malicious
users with crafted operations on the user space memory directly, rather than
the normal operations within the audit subsystem in Linux. Moreover, since the
copy operations from the user space are not protected by any locks or
synchronization primitives, changing the data under race condition is feasible
I think. Besides, there isn’t any visible checking step in the code to
guarantee the consistency between the two copy operations.
Here I would like to figure out what the consequences really are once the data
is changed between the two copy operations, such as changing a none-control
string to a control string but process it as a none-control string that has no
control chars. I think problems will happen.
Pengfei
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
