lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <6c97e8eec7aee6bade82dd0c7933908098846a90.1465934130.git.rgb@redhat.com>
Date:	Tue, 14 Jun 2016 17:03:36 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	linux-audit@...hat.com, linux-kernel@...r.kernel.org
Cc:	Richard Guy Briggs <rgb@...hat.com>, sgrubb@...hat.com,
	pmoore@...hat.com, eparis@...hat.com
Subject: [PATCH] audit: catch errors from audit_filter_rules field checks

In the case of an error returned from a field check in an audit filter
syscall rule, it is treated as a match and the rule action is honoured.

This could cause a rule with a default of NEVER and an selinux field
check error to avoid logging.

Recommend matching with an action of ALWAYS to catch malicious abuse of
this bug.  The downside of this approach is it could DoS the audit
subsystem.

Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
 kernel/auditsc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..6123672 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		}
 		if (!result)
 			return 0;
+		if (result < 0) {
+			*state = AUDIT_RECORD_CONTEXT;
+			return 1;
+		}
 	}
 
 	if (ctx) {
-- 
1.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ