AUDIT: Avoid log pollution by untrusted strings.
author <dwmw2@shinybook.infradead.org> <>
Fri, 29 Apr 2005 14:54:44 +0000 (15:54 +0100)
committer <dwmw2@shinybook.infradead.org> <>
Fri, 29 Apr 2005 14:54:44 +0000 (15:54 +0100)
We log strings from userspace, such as arguments to open(). These could
be formatted to contain \n followed by fake audit log entries. Provide
a function for logging such strings, which gives a hex dump when the
string contains anything but basic printable ASCII characters. Use it
for logging filenames.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
include/linux/audit.h
kernel/audit.c
kernel/auditsc.c

index 3628f7cfb1789c16ff9e5f6d20e76e9b6d69672e..9b77992c48887fcdd64d3f08164ba8484afc9180 100644 (file)
@@ -174,11 +174,15 @@ extern void                   audit_log_format(struct audit_buffer *ab,
                                             const char *fmt, ...)
                            __attribute__((format(printf,2,3)));
 extern void                audit_log_end(struct audit_buffer *ab);
+extern void                audit_log_hex(struct audit_buffer *ab,
+                                         const unsigned char *buf,
+                                         size_t len);
+extern void                audit_log_untrustedstring(struct audit_buffer *ab,
+                                                     const char *string);
 extern void                audit_log_d_path(struct audit_buffer *ab,
                                             const char *prefix,
                                             struct dentry *dentry,
                                             struct vfsmount *vfsmnt);
-
                                /* Private API (for auditsc.c only) */
 extern void                audit_send_reply(int pid, int seq, int type,
                                             int done, int multi,
@@ -190,6 +194,8 @@ extern void             audit_log_lost(const char *message);
 #define audit_log_vformat(b,f,a) do { ; } while (0)
 #define audit_log_format(b,f,...) do { ; } while (0)
 #define audit_log_end(b) do { ; } while (0)
+#define audit_log_hex(a,b,l) do { ; } while (0)
+#define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b,p,d,v) do { ; } while (0)
 #endif
 #endif
index 0f84dd7af2c8d016a6992cf9388289399309b57f..dca7b99615d2fa8f8ef93c0c1720ae44645484a5 100644 (file)
@@ -720,6 +720,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
        va_end(args);
 }
 
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+       int i;
+
+       for (i=0; i<len; i++)
+               audit_log_format(ab, "%02x", buf[i]);
+}
+
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+       const char *p = string;
+
+       while (*p) {
+               if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
+                       audit_log_hex(ab, string, strlen(string));
+                       return;
+               }
+               p++;
+       }
+       audit_log_format(ab, "\"%s\"", string);
+}
+
+
 /* This is a helper-function to print the d_path without using a static
  * buffer or allocating another buffer in addition to the one in
  * audit_buffer. */
index 6f1931381bc9eae1ff454c943036c5b077c4a8a6..00e87ffff13baa51b17e7074610930da1c62f959 100644 (file)
@@ -696,9 +696,10 @@ static void audit_log_exit(struct audit_context *context)
                if (!ab)
                        continue; /* audit_panic has been called */
                audit_log_format(ab, "item=%d", i);
-               if (context->names[i].name)
-                       audit_log_format(ab, " name=%s",
-                                        context->names[i].name);
+               if (context->names[i].name) {
+                       audit_log_format(ab, " name=");
+                       audit_log_untrustedstring(ab, context->names[i].name);
+               }
                if (context->names[i].ino != (unsigned long)-1)
                        audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
                                             " uid=%d gid=%d rdev=%02x:%02x",