Bug 438840
| Summary: | buffer overflow in audit_log_user_command | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joe Nall <joe> |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | mitr, pvrabec |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.6.8-4.fc8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-09 05:20:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 440275 | ||
|
Description
Joe Nall
2008-03-25 15:28:00 UTC
Sudo was recently updated to log actions run. It looks like the number of args exceeded what was expected. I'll add the fix in a new version of audit that I'm working on right now. audit-1.7 was built into rawhide today with a fix for the above problem. This should take care of it. Thanks for reporting the bug. Reopening. No traceback this time, but same result with audit 1.7
[joe@rawhide src2]$ rpm -q audit
audit-1.7-1.fc9.i386
[joe@rawhide src2]$ rpm -q audit-libs
audit-libs-1.7-1.fc9.i386
Segmentation fault sudo yum -c repos/build-yum.conf $NETOPTS localinstall
${sysdir}/BUILD/repo/*rpm
[joe@rawhide src2]$ ls Linux_i386/BUILD/repo/*rpm | wc -l
206
Peter,
Would you mind trying to reproduce this with rawhide sudo and see if the current
problem is in libaudit or sudo? My test program shows the library is working.
Thanks.
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <libaudit.h>
#define SIZE 10000
int main(void)
{
int fd, rc;
char *cmd;
if ((fd = audit_open()) < 0) {
printf("failed opening\n");
return 1;
}
cmd = malloc(SIZE);
memset(cmd, 'A', SIZE);
cmd[SIZE-1] = 0;
printf("sending: %s\n", cmd);
rc = audit_log_user_command(fd, AUDIT_USER, cmd, NULL, 1);
close(fd);
printf("rc=%d\n", rc);
return 0;
}
After reading Steve's comment, I tried the following: sudo echo `dd if=/dev/urandom bs=1024 count=5` >/tmp/foo count=5 dies, count=4 doesn't echo `dd if=/dev/urandom bs=1024 count=20` >/tmp/foo does not die, so echo is not to blame > len = strlen(cmd); > // Trim the trailing carriage return and spaces > while (len && (cmd[len-1] == 0x0A || cmd[len-1] == ' ')) { > cmd[len-1] = 0; > len--; > } > p = cmd; > strncpy(commname, cmd, PATH_MAX); > commname[PATH_MAX] = 0; len is still strlen(cmd), not strlen(commname) here. > while (*p) { > if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) { > _audit_c2x(commname, cmd, len); If this triggers, it uses 2*len + 1 bytes. * if the original cmd is larger than PAGE_SIZE, this can overflow by an unlimited length * even if strlen(cmd) <= PAGE_SIZE, commname is one byte too small. thnx. Miloslav, I have just fount the space in the message is the problem. :) Ok, audit-1.7-2 was built to solve this problem. I modified the above test script to add a space at character 10 and it segfaults. Its not crashing with the new library. It should be in tomorrow's push. audit-1.7-2 fixes the problem for me. Both the original issue and the test case Closing based on test feedback. Thanks Joe for reporting this problem! audit-1.6.8-4.fc8 has been submitted as an update for Fedora 8 audit-1.6.8-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |