From: Peter Zijlstra Date: Fri, 27 Jul 2007 22:55:18 +0000 (+0200) Subject: audit: fix two bugs in the new execve audit code X-Git-Tag: v2.6.23-rc2~174 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=040b3a2df2dd26c3e401823f3b0ce3fe99e966c5;p=linux-2.6 audit: fix two bugs in the new execve audit code copy_from_user() returns the number of bytes not copied, hence 0 is the expected output. axi->mm might not be valid anymore when not equal to current->mm, do not dereference before checking that - thanks to Al for spotting that. Signed-off-by: Peter Zijlstra Tested-by: Steve Grubb Signed-off-by: Linus Torvalds --- diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bde1124d59..a777d37614 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -824,12 +824,14 @@ static void audit_log_execve_info(struct audit_buffer *ab, { int i; long len, ret; - const char __user *p = (const char __user *)axi->mm->arg_start; + const char __user *p; char *buf; if (axi->mm != current->mm) return; /* execve failed, no additional info */ + p = (const char __user *)axi->mm->arg_start; + for (i = 0; i < axi->argc; i++, p += len) { len = strnlen_user(p, MAX_ARG_STRLEN); /* @@ -855,7 +857,7 @@ static void audit_log_execve_info(struct audit_buffer *ab, * copied them here, and the mm hasn't been exposed to user- * space yet. */ - if (!ret) { + if (ret) { WARN_ON(1); send_sig(SIGKILL, current, 0); }