Bug 229983 - Incorrect logical operator while verifying the feasibility of setting auditpipe queue limit
Summary: Incorrect logical operator while verifying the feasibility of setting auditpi...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Andriy Gapon
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-23 16:20 UTC by Aniket Pandey
Modified: 2018-12-06 13:33 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aniket Pandey 2018-07-23 16:20:44 UTC
The logical operator which verifies that the desired limit of auditpipe queue length to be set is between QLIMIT_MIN and QLIMIT_MAX is wrong.

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {

should be

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN &&
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {


Steps to reproduce the bug: (On 12-CURRENT)

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <security/audit/audit_ioctl.h>

void main() {
	int fd = open("/dev/auditpipe", O_RDWR);
        if (fd < 0)
               perror("auditpipe");

	int qlimit_min;	
	ioctl(fd, AUDITPIPE_GET_QLIMIT_MIN, &qlimit_min);

        qlimit_min -= 5;     \* Not allowed since it is less than QLIMIT_MIN *\
	
        ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlimit_min);
        perror("set qlimit");
	close(fd);
}

Output: "set qlimit: No error: 0"
Comment 1 commit-hook freebsd_committer 2018-07-23 16:57:23 UTC
A commit references this bug:

Author: avg
Date: Mon Jul 23 16:56:49 UTC 2018
New revision: 336641
URL: https://svnweb.freebsd.org/changeset/base/336641

Log:
  fix incorrect operator in the AUDITPIPE_SET_QLIMIT bounds check

  PR:		229983
  Submitted by:	Aniket Pandey <aniketp@iitk.ac.in>
  Reported by:	Aniket Pandey <aniketp@iitk.ac.in>
  MFC after:	1 week

Changes:
  head/sys/security/audit/audit_pipe.c
Comment 2 commit-hook freebsd_committer 2018-12-06 13:32:59 UTC
A commit references this bug:

Author: avg
Date: Thu Dec  6 13:32:52 UTC 2018
New revision: 341633
URL: https://svnweb.freebsd.org/changeset/base/341633

Log:
  MFC r336641: fix incorrect operator in the AUDITPIPE_SET_QLIMIT bounds check

  PR:		229983

Changes:
_U  stable/10/
  stable/10/sys/security/audit/audit_pipe.c