Bug 229983

Summary: Incorrect logical operator while verifying the feasibility of setting auditpipe queue limit
Product: Base System Reporter: Aniket Pandey <aniketp>
Component: kernAssignee: Andriy Gapon <avg>
Status: Closed FIXED    
Severity: Affects Some People CC: aniketp, asomers, cem
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Aniket Pandey 2018-07-23 16:20:44 UTC 
The logical operator which verifies that the desired limit of auditpipe queue length to be set is between QLIMIT_MIN and QLIMIT_MAX is wrong.

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {

should be

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN &&
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {


Steps to reproduce the bug: (On 12-CURRENT)

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <security/audit/audit_ioctl.h>

void main() {
	int fd = open("/dev/auditpipe", O_RDWR);
        if (fd < 0)
               perror("auditpipe");

	int qlimit_min;	
	ioctl(fd, AUDITPIPE_GET_QLIMIT_MIN, &qlimit_min);

        qlimit_min -= 5;     \* Not allowed since it is less than QLIMIT_MIN *\
	
        ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlimit_min);
        perror("set qlimit");
	close(fd);
}

Output: "set qlimit: No error: 0"
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-07-23 16:57:23 UTC 
A commit references this bug:

Author: avg
Date: Mon Jul 23 16:56:49 UTC 2018
New revision: 336641
URL: https://svnweb.freebsd.org/changeset/base/336641

Log:
  fix incorrect operator in the AUDITPIPE_SET_QLIMIT bounds check

  PR:		229983
  Submitted by:	Aniket Pandey <aniketp@iitk.ac.in>
  Reported by:	Aniket Pandey <aniketp@iitk.ac.in>
  MFC after:	1 week

Changes:
  head/sys/security/audit/audit_pipe.c
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-12-06 13:32:59 UTC 
A commit references this bug:

Author: avg
Date: Thu Dec  6 13:32:52 UTC 2018
New revision: 341633
URL: https://svnweb.freebsd.org/changeset/base/341633

Log:
  MFC r336641: fix incorrect operator in the AUDITPIPE_SET_QLIMIT bounds check

  PR:		229983

Changes:
_U  stable/10/
  stable/10/sys/security/audit/audit_pipe.c