audit: fix two bugs in the new execve audit code
authorPeter Zijlstra <a.p.zijlstra@chello.nl>
Fri, 27 Jul 2007 22:55:18 +0000 (00:55 +0200)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Sun, 29 Jul 2007 02:42:22 +0000 (19:42 -0700)
copy_from_user() returns the number of bytes not copied, hence 0 is the
expected output.

axi->mm might not be valid anymore when not equal to current->mm, do not
dereference before checking that - thanks to Al for spotting that.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Tested-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/auditsc.c

index bde1124d590891d42f4fced9ecf0f15a80fe8297..a777d376141696dc7bc779b5ecc0d2bb58a6961c 100644 (file)
@@ -824,12 +824,14 @@ static void audit_log_execve_info(struct audit_buffer *ab,
 {
        int i;
        long len, ret;
-       const char __user *p = (const char __user *)axi->mm->arg_start;
+       const char __user *p;
        char *buf;
 
        if (axi->mm != current->mm)
                return; /* execve failed, no additional info */
 
+       p = (const char __user *)axi->mm->arg_start;
+
        for (i = 0; i < axi->argc; i++, p += len) {
                len = strnlen_user(p, MAX_ARG_STRLEN);
                /*
@@ -855,7 +857,7 @@ static void audit_log_execve_info(struct audit_buffer *ab,
                 * copied them here, and the mm hasn't been exposed to user-
                 * space yet.
                 */
-               if (!ret) {
+               if (ret) {
                        WARN_ON(1);
                        send_sig(SIGKILL, current, 0);
                }