From 9eab339b197a6903043d272295dcb716ff739b21 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Sat, 15 Mar 2014 18:42:34 -0400 Subject: [PATCH] audit: get comm using lock to avoid race in string printing When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the output string that would effectively truncate the rest of the report text after the comm= field in the audit, losing fields. Use get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm. Signed-off-by: Tetsuo Handa Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 5 ++--- kernel/auditsc.c | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 3a80abb6eaa1..53bb39bf79e2 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1850,7 +1850,7 @@ EXPORT_SYMBOL(audit_log_task_context); void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { const struct cred *cred; - char name[sizeof(tsk->comm)]; + char comm[sizeof(tsk->comm)]; struct mm_struct *mm = tsk->mm; char *tty; @@ -1884,9 +1884,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) from_kgid(&init_user_ns, cred->fsgid), tty, audit_get_sessionid(tsk)); - get_task_comm(name, tsk); audit_log_format(ab, " comm="); - audit_log_untrustedstring(ab, name); + audit_log_untrustedstring(ab, get_task_comm(comm, tsk)); if (mm) { down_read(&mm->mmap_sem); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 63a74a703c97..89335723fb2a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2424,6 +2424,7 @@ static void audit_log_task(struct audit_buffer *ab) kgid_t gid; unsigned int sessionid; struct mm_struct *mm = current->mm; + char comm[sizeof(current->comm)]; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2436,7 +2437,7 @@ static void audit_log_task(struct audit_buffer *ab) sessionid); audit_log_task_context(ab); audit_log_format(ab, " pid=%d comm=", task_pid_nr(current)); - audit_log_untrustedstring(ab, current->comm); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); if (mm) { down_read(&mm->mmap_sem); if (mm->exe_file) -- 2.20.1