Bug 459499 - proc_loginuid_write() uses simple_strtoul() on non-terminated array
proc_loginuid_write() uses simple_strtoul() on non-terminated array
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity low
: rc
: ---
Assigned To: Cong Wang
Evan McNabb
Depends On:
  Show dependency treegraph
Reported: 2008-08-19 10:23 EDT by R. Keyes
Modified: 2013-09-29 22:08 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-02-16 10:56:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Source code to demonstrate the issue (242 bytes, application/octet-stream)
2008-08-19 10:23 EDT, R. Keyes
no flags Details

  None (edit)
Description R. Keyes 2008-08-19 10:23:14 EDT
Created attachment 314547 [details]
Source code to demonstrate the issue

Description of problem:
Current RHEL kernel sources (2.6.9-78.0.1 at the time of this writing) have the earlier backported patch from 2.6.10 which allows the loginuid to be handled in proc. However, they do not have the patch from 2.6.17-rc5 that fixes the use of a non-terminated array in the proc_loginuid_write function. As such, multiple repeated calls to proc_loginuid_write code can result in invalid auid being assigned to the user.

Version-Release number of selected component (if applicable):

How reproducible:
Can take some time but repeatedly calling the affected code will eventually cause it (few minutes to an hour on my tested machines).

Steps to Reproduce:
1. Compile attached c program with "-laudit" options
2. Run compiled program as root and wait
Actual results:
Depends on what is in the kernel buffer.

Expected results:
Should always set it to what we called it with.

Additional info:
Comment 1 Oleg Nesterov 2009-07-01 02:31:17 EDT
I think you are right, we need the unchanged upstream
e0182909297da8d38a5d473ae7bee3d0324632a1 commit.
Comment 2 RHEL Product and Program Management 2009-07-13 09:23:47 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 3 Vivek Goyal 2009-07-14 14:51:15 EDT
Committed in 89.6.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 errata-xmlrpc 2011-02-16 10:56:26 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.