BUG: fix double fetch in audit_log_single_execve_arg()

[pcmoore]

See the mailing list thread below for information:

• https://www.redhat.com/archives/linux-audit/2016-June/msg00029.html

Taken from the original report:

In function audit_log_single_execve_arg(), the whole argument is fetched from user space twice via copy_from_user(). In the first loop, it is firstly fetched (line 1038) to verify, aka looking for non-ascii chars. While in the second loop, the whole argument is fetched again (line 1105) from user space and used at line 1121 and line 1123 respectively depends on the previous verification.

[pcmoore]

Looking at this a bit more, we should be doing a strncpy_from_user() at the top of audit_log_single_execve_arg() and the operating only from that copied buffer. In addition to resolving this issue, it should simplify the code quite a bit.

[pcmoore]

It turns out there are a number of problems with the existing code in audit_log_single_execve_arg(), more than I care to mention here. I'm working on a patch and will update this issue tracker when I have something significant to report.

[pcmoore]

Quick update: I have a patch which rewrites audit_log_single_execve_arg() to remove the double fetch and fix all the other problems I've found, but it needs some testing to make sure all the corner cases are covered properly.

[pcmoore]

Issue tracker for the necessary test: https://github.com/linux-audit/audit-testsuite/issues/25

[pcmoore]

Initial draft fix: https://gist.github.com/pcmoore/5f259b644ca923d1634d87747a2d2cdb

UPDATE: see below for the proper, tested fix

[pcmoore]

Patch posted upstream: https://www.redhat.com/archives/linux-audit/2016-July/msg00120.html

[pcmoore]

A test kernel for Fedora Rawhide can be found here:

• https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-testing/build/394059
• https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext/build/402631

[pcmoore]

Merged to audit#next via 43761473c254b45883a64441dd0bc85a42f3645c.