Commit 20114f71 authored by Al Viro's avatar Al Viro
Browse files

sanitize audit_mq_notify() 



* don't copy_from_user() twice
* don't bother with allocations
* don't duplicate parts of audit_dummy_context()
* make it return void

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 7392906e

include/linux/audit.h

+4 −5
Original line number Diff line number Diff line
@@ -453,7 +453,7 @@ extern int audit_set_macxattr(const char *name); 
extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr);

extern int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout);

extern int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned int __user *u_msg_prio, const struct timespec __user *u_abs_timeout);

extern int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification);

extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);

extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);

extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,

				  const struct cred *new,
@@ -494,11 +494,10 @@ static inline int audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, unsigned in 
		return __audit_mq_timedreceive(mqdes, msg_len, u_msg_prio, u_abs_timeout);

	return 0;

}

static inline int audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)

static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)

{

	if (unlikely(!audit_dummy_context()))

		return __audit_mq_notify(mqdes, u_notification);

	return 0;

		__audit_mq_notify(mqdes, notification);

}

static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)

{
@@ -553,7 +552,7 @@ extern int audit_signals; 
#define audit_mq_open(o,m,a) ({ 0; })

#define audit_mq_timedsend(d,l,p,t) ({ 0; })

#define audit_mq_timedreceive(d,l,p,t) ({ 0; })

#define audit_mq_notify(d,n) ({ 0; })

#define audit_mq_notify(d,n) ((void)0)

#define audit_mq_getsetattr(d,s) ((void)0)

#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })

#define audit_log_capset(pid, ncr, ocr) ({ 0; })

ipc/mqueue.c

+7 −7
Original line number Diff line number Diff line
@@ -1003,17 +1003,17 @@ asmlinkage long sys_mq_notify(mqd_t mqdes, 
	struct mqueue_inode_info *info;

	struct sk_buff *nc;



	ret = audit_mq_notify(mqdes, u_notification);

	if (ret != 0)

		return ret;



	nc = NULL;

	sock = NULL;

	if (u_notification != NULL) {

	if (u_notification) {

		if (copy_from_user(&notification, u_notification,

					sizeof(struct sigevent)))

			return -EFAULT;

	}



	audit_mq_notify(mqdes, u_notification ? &notification : NULL);



	nc = NULL;

	sock = NULL;

	if (u_notification != NULL) {

		if (unlikely(notification.sigev_notify != SIGEV_NONE &&

			     notification.sigev_notify != SIGEV_SIGNAL &&

			     notification.sigev_notify != SIGEV_THREAD))

kernel/auditsc.c

+16 −40
Original line number Diff line number Diff line
@@ -139,12 +139,6 @@ struct audit_aux_data_mq_sendrecv { 
	struct timespec		abs_timeout;

};



struct audit_aux_data_mq_notify {

	struct audit_aux_data	d;

	mqd_t			mqdes;

	struct sigevent 	notification;

};



struct audit_aux_data_execve {

	struct audit_aux_data	d;

	int argc;
@@ -246,6 +240,10 @@ struct audit_context { 
			mqd_t			mqdes;

			struct mq_attr 		mqstat;

		} mq_getsetattr;

		struct {

			mqd_t			mqdes;

			int			sigev_signo;

		} mq_notify;

	};



#if AUDIT_DEBUG
@@ -1267,6 +1265,11 @@ static void show_special(struct audit_context *context, int *call_panic) 
				return;

		}

		break; }

	case AUDIT_MQ_NOTIFY: {

		audit_log_format(ab, "mqdes=%d sigev_signo=%d",

				context->mq_notify.mqdes,

				context->mq_notify.sigev_signo);

		break; }

	case AUDIT_MQ_GETSETATTR: {

		struct mq_attr *attr = &context->mq_getsetattr.mqstat;

		audit_log_format(ab,
@@ -1376,14 +1379,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts 
				axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);

			break; }



		case AUDIT_MQ_NOTIFY: {

			struct audit_aux_data_mq_notify *axi = (void *)aux;

			audit_log_format(ab,

				"mqdes=%d sigev_signo=%d",

				axi->mqdes,

				axi->notification.sigev_signo);

			break; }



		case AUDIT_EXECVE: {

			struct audit_aux_data_execve *axi = (void *)aux;

			audit_log_execve_info(context, &ab, axi);
@@ -2274,38 +2269,19 @@ int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 
 * @mqdes: MQ descriptor

 * @u_notification: Notification event

 *

 * Returns 0 for success or NULL context or < 0 on error.

 */



int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)

void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)

{

	struct audit_aux_data_mq_notify *ax;

	struct audit_context *context = current->audit_context;



	if (!audit_enabled)

		return 0;



	if (likely(!context))

		return 0;



	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);

	if (!ax)

		return -ENOMEM;



	if (u_notification != NULL) {

		if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) {

			kfree(ax);

			return -EFAULT;

		}

	} else

		memset(&ax->notification, 0, sizeof(ax->notification));



	ax->mqdes = mqdes;

	if (notification)

		context->mq_notify.sigev_signo = notification->sigev_signo;

	else

		context->mq_notify.sigev_signo = 0;



	ax->d.type = AUDIT_MQ_NOTIFY;

	ax->d.next = context->aux;

	context->aux = (void *)ax;

	return 0;

	context->mq_notify.mqdes = mqdes;

	context->type = AUDIT_MQ_NOTIFY;

}



/**