getaudit_addr syscall has a bug

Originator:nishant.pamnani
Number:rdar://37462311 Date Originated:2/12/2018
Status:open Resolved:
Product:mac osx Product Version:10.9 - 13.3.3
Classification: Reproducible:yes
 
getaudit_addr syscall does not return correct ai_mask field. It always returns masks set to zero even if with proper privileges 

observation:
function getaudit_addr_internal is called by getaudit_addr.

Statement 'bcopy(scred->cr_audit.as_aia_p, &aia, sizeof (auditinfo_addr_t)); ' simply copies the stored session specific 'auditinfo_addr_t' and returns.
 But  'ai_mask ' field of 'scred->cr_audit.as_aia_p' does not store the mask. mask is stored in the 'as_mask' field of 'struct au_session'. Getting the mask using auditon system call has no such problem.
<sinp>
static int
getaudit_addr_internal(proc_t p, user_addr_t user_addr, size_t length)
{
	kauth_cred_t scred;
	auditinfo_addr_t aia;

	scred = kauth_cred_proc_ref(p);

	bcopy(scred->cr_audit.as_aia_p, &aia, sizeof (auditinfo_addr_t)); 
	/*
	 * Only superuser gets to see the real mask.
	 */
	if (suser(scred, &p->p_acflag)) {
		aia.ai_mask.am_success = ~0;
		aia.ai_mask.am_failure = ~0;
	}
	kauth_cred_unref(&scred);

	return (copyout(&aia, user_addr, min(sizeof(aia), length)));
}
<\snip>

Because of this bug sudo utility is not able to generate ACE_sudo event. Because sudo utility is using getaudit_addr syscall to check the stored mask.

Steps to Reproduce:
1. Set non-zero au_mask using setaudit_addr with proper privileges.
2. get au_mask using getaudit_addr with proper privileges.

Expected Results:
Should get back the mask stored.

Actual Results:
returns au_mask set to zero 

Version/Build:
osx-10.9 to osx-10.13.3

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!