• Vesa-Matti J Kari's avatar
    kernel/audit.c control character detection is off-by-one · 1d6c9649
    Vesa-Matti J Kari authored
    Hello,
    
    According to my understanding there is an off-by-one bug in the
    function:
    
       audit_string_contains_control()
    
    in:
    
      kernel/audit.c
    
    Patch is included.
    
    I do not know from how many places the function is called from, but for
    example, SELinux Access Vector Cache tries to log untrusted filenames via
    call path:
    
    avc_audit()
         audit_log_untrustedstring()
             audit_log_n_untrustedstring()
                 audit_string_contains_control()
    
    If audit_string_contains_control() detects control characters, then the
    string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not
    detected.
    
    I guess this could have at least some minor security implications, since a
    user can create a filename with 0x7f in it, causing logged filename to
    possibly look different when someone reads it on the terminal.
    Signed-off-by: default avatarVesa-Matti Kari <vmkari@cc.helsinki.fi>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    1d6c9649
audit.c 39.4 KB