Page MenuHomeFreeBSD

Fix the incorrect logical operator in AUDITPIPE_SET_QLIMIT ioctl
ClosedPublic

Authored by aniketp on Jul 23 2018, 4:24 PM.

Details

Reviewers
asomers
cem
Summary

The logical operator which verifies that the desired limit of auditpipe queue length to be set is
between QLIMIT_MIN and QLIMIT_MAX is wrong.

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {

should be

case AUDITPIPE_SET_QLIMIT:
	/* Lockless integer write. */
	if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN &&
            *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {

Bug Report: PR: 229983

Test Plan

Steps to reproduce the bug: (On 12-CURRENT)

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <security/audit/audit_ioctl.h>

void main() {
	int fd = open("/dev/auditpipe", O_RDWR);
        if (fd < 0)
               perror("auditpipe");

	int qlimit_min;	
	ioctl(fd, AUDITPIPE_GET_QLIMIT_MIN, &qlimit_min);

        qlimit_min -= 5;     \* Not allowed since it is less than QLIMIT_MIN *\
	
        ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlimit_min);
        perror("set qlimit");
	close(fd);
}

Output: "set qlimit: No error: 0"

Diff Detail

Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 18270
Build 17995: arc lint + arc unit

Event Timeline

aniketp created this revision.Jul 23 2018, 4:24 PM
cem accepted this revision.Jul 23 2018, 5:05 PM

I see avg already committed it.

This revision is now accepted and ready to land.Jul 23 2018, 5:05 PM
asomers closed this revision.Jul 25 2018, 10:46 PM

Fixed by r336641