[PATCH] audit: check the length of userspace generated audit records

[PATCH] audit: check the length of userspace generated audit records

[Paul Moore]

Commit 756125289285 ("audit: always check the netlink payload length
in audit_receive_msg()") fixed a number of missing message length
checks, but forgot to check the length of userspace generated audit
records.  The good news is that you need CAP_AUDIT_WRITE to submit
userspace audit records, which is generally only given to trusted
processes, so the impact should be limited.

Cc: stable@vger.kernel.org
Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 kernel/audit.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index b69c8b460341..87f31bf1f0a0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
 			return 0;
+		/* exit early if there isn't at least one character to print */
+		if (data_len < 2)
+			return -EINVAL;
 
 		err = audit_filter(msg_type, AUDIT_FILTER_USER);
 		if (err == 1) { /* match or error */

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Richard Guy Briggs]

On 2020-04-20 17:36, Paul Moore wrote:
> Commit 756125289285 ("audit: always check the netlink payload length
> in audit_receive_msg()") fixed a number of missing message length
> checks, but forgot to check the length of userspace generated audit
> records.  The good news is that you need CAP_AUDIT_WRITE to submit
> userspace audit records, which is generally only given to trusted
> processes, so the impact should be limited.
> 
> Cc: stable@vger.kernel.org
> Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b69c8b460341..87f31bf1f0a0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
>  		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
>  			return 0;
> +		/* exit early if there isn't at least one character to print */
> +		if (data_len < 2)
> +			return -EINVAL;

Don't we want to issue the record even if the message is empty?  If a
len of 1 is passed in, it will properly set str[0] = '\0' and str points
to a location with a null that prints nothing between the single quotes
of "msg=''".  So, I think that should be "if (data_len < 1)".

Am I missing something?

>  		err = audit_filter(msg_type, AUDIT_FILTER_USER);
>  		if (err == 1) { /* match or error */
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Paul Moore]

On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2020-04-20 17:36, Paul Moore wrote:
> > Commit 756125289285 ("audit: always check the netlink payload length
> > in audit_receive_msg()") fixed a number of missing message length
> > checks, but forgot to check the length of userspace generated audit
> > records.  The good news is that you need CAP_AUDIT_WRITE to submit
> > userspace audit records, which is generally only given to trusted
> > processes, so the impact should be limited.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> > Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  kernel/audit.c |    3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index b69c8b460341..87f31bf1f0a0 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >       case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> >               if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> >                       return 0;
> > +             /* exit early if there isn't at least one character to print */
> > +             if (data_len < 2)
> > +                     return -EINVAL;
>
> Don't we want to issue the record even if the message is empty?  If a
> len of 1 is passed in, it will properly set str[0] = '\0' and str points
> to a location with a null that prints nothing between the single quotes
> of "msg=''".  So, I think that should be "if (data_len < 1)".
>
> Am I missing something?

I've got no problem with allowing an empty message so long as there is
a valid use for such a message.  Can anyone think of a valid reason
for having an empty userspace generated record?

-- 
paul moore
www.paul-moore.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Lenny Bruzenak]

[-- Attachment #1.1: Type: text/plain, Size: 2328 bytes --]

On 4/20/20 5:29 PM, Paul Moore wrote:

> On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs<rgb@redhat.com>  wrote:
>> On 2020-04-20 17:36, Paul Moore wrote:
>>> Commit 756125289285 ("audit: always check the netlink payload length
>>> in audit_receive_msg()") fixed a number of missing message length
>>> checks, but forgot to check the length of userspace generated audit
>>> records.  The good news is that you need CAP_AUDIT_WRITE to submit
>>> userspace audit records, which is generally only given to trusted
>>> processes, so the impact should be limited.
>>>
>>> Cc:stable@vger.kernel.org
>>> Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
>>> Reported-by:syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
>>> Signed-off-by: Paul Moore<paul@paul-moore.com>
>>> ---
>>>   kernel/audit.c |    3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> diff --git a/kernel/audit.c b/kernel/audit.c
>>> index b69c8b460341..87f31bf1f0a0 100644
>>> --- a/kernel/audit.c
>>> +++ b/kernel/audit.c
>>> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>>>        case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
>>>                if (!audit_enabled && msg_type != AUDIT_USER_AVC)
>>>                        return 0;
>>> +             /* exit early if there isn't at least one character to print */
>>> +             if (data_len < 2)
>>> +                     return -EINVAL;
>> Don't we want to issue the record even if the message is empty?  If a
>> len of 1 is passed in, it will properly set str[0] = '\0' and str points
>> to a location with a null that prints nothing between the single quotes
>> of "msg=''".  So, I think that should be "if (data_len < 1)".
>>
>> Am I missing something?
> I've got no problem with allowing an empty message so long as there is
> a valid use for such a message.  Can anyone think of a valid reason
> for having an empty userspace generated record?

Not really. Using the libaudit interface(s), even if an empty message 
string is sent, and handled in the lib call(s), I believe it will have 
minimum contextual info, e.g. "exe=... hostname=... ", etc.

I can't think of a valid reason myself, assuming IIUC.

LCB


-- 
LC Bruzenak
MagitekLTD


[-- Attachment #1.2: Type: text/html, Size: 3444 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Richard Guy Briggs]

On 2020-04-20 17:56, Lenny Bruzenak wrote:
> On 4/20/20 5:29 PM, Paul Moore wrote:
> 
> > On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs<rgb@redhat.com>  wrote:
> > > On 2020-04-20 17:36, Paul Moore wrote:
> > > > Commit 756125289285 ("audit: always check the netlink payload length
> > > > in audit_receive_msg()") fixed a number of missing message length
> > > > checks, but forgot to check the length of userspace generated audit
> > > > records.  The good news is that you need CAP_AUDIT_WRITE to submit
> > > > userspace audit records, which is generally only given to trusted
> > > > processes, so the impact should be limited.
> > > > 
> > > > Cc:stable@vger.kernel.org
> > > > Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> > > > Reported-by:syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> > > > Signed-off-by: Paul Moore<paul@paul-moore.com>
> > > > ---
> > > >   kernel/audit.c |    3 +++
> > > >   1 file changed, 3 insertions(+)
> > > > 
> > > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > > index b69c8b460341..87f31bf1f0a0 100644
> > > > --- a/kernel/audit.c
> > > > +++ b/kernel/audit.c
> > > > @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > > >        case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > > >                if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> > > >                        return 0;
> > > > +             /* exit early if there isn't at least one character to print */
> > > > +             if (data_len < 2)
> > > > +                     return -EINVAL;
> > > Don't we want to issue the record even if the message is empty?  If a
> > > len of 1 is passed in, it will properly set str[0] = '\0' and str points
> > > to a location with a null that prints nothing between the single quotes
> > > of "msg=''".  So, I think that should be "if (data_len < 1)".
> > > 
> > > Am I missing something?
> > I've got no problem with allowing an empty message so long as there is
> > a valid use for such a message.  Can anyone think of a valid reason
> > for having an empty userspace generated record?
> 
> Not really. Using the libaudit interface(s), even if an empty message string
> is sent, and handled in the lib call(s), I believe it will have minimum
> contextual info, e.g. "exe=... hostname=... ", etc.
> 
> I can't think of a valid reason myself, assuming IIUC.

But even with an empty message, there is still pid, uid, auid, ses, subj
added by the kernel with its own message type.  I could see a valid type
of user message created that has no need for any of those fields added
by audit_log_user_message(), calling audit_send_user_message() directly
(but mind you, it appears to be deprecated to call it directly).

> LCB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Steve Grubb]

On Monday, April 20, 2020 8:18:06 PM EDT Richard Guy Briggs wrote:
> On 2020-04-20 17:56, Lenny Bruzenak wrote:
> > On 4/20/20 5:29 PM, Paul Moore wrote:
> > > On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs<rgb@redhat.com>  
wrote:
> > > > On 2020-04-20 17:36, Paul Moore wrote:
> > > > > Commit 756125289285 ("audit: always check the netlink payload
> > > > > length
> > > > > in audit_receive_msg()") fixed a number of missing message length
> > > > > checks, but forgot to check the length of userspace generated audit
> > > > > records.  The good news is that you need CAP_AUDIT_WRITE to submit
> > > > > userspace audit records, which is generally only given to trusted
> > > > > processes, so the impact should be limited.
> > > > > 
> > > > > Cc:stable@vger.kernel.org
> > > > > Fixes: 756125289285 ("audit: always check the netlink payload
> > > > > length in audit_receive_msg()")
> > > > > Reported-by:syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> > > > > Signed-off-by: Paul Moore<paul@paul-moore.com>
> > > > > ---
> > > > > 
> > > > >   kernel/audit.c |    3 +++
> > > > >   1 file changed, 3 insertions(+)
> > > > > 
> > > > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > > > index b69c8b460341..87f31bf1f0a0 100644
> > > > > --- a/kernel/audit.c
> > > > > +++ b/kernel/audit.c
> > > > > @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff
> > > > > *skb, struct nlmsghdr *nlh)> > > > 
> > > > >        case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > > > >                if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> > > > >                
> > > > >                        return 0;
> > > > > 
> > > > > +             /* exit early if there isn't at least one character
> > > > > to print */ +             if (data_len < 2)
> > > > > +                     return -EINVAL;
> > > > 
> > > > Don't we want to issue the record even if the message is empty?  If a
> > > > len of 1 is passed in, it will properly set str[0] = '\0' and str
> > > > points
> > > > to a location with a null that prints nothing between the single
> > > > quotes
> > > > of "msg=''".  So, I think that should be "if (data_len < 1)".
> > > > 
> > > > Am I missing something?
> > > 
> > > I've got no problem with allowing an empty message so long as there is
> > > a valid use for such a message.  Can anyone think of a valid reason
> > > for having an empty userspace generated record?
> > 
> > Not really. Using the libaudit interface(s), even if an empty message
> > string is sent, and handled in the lib call(s), I believe it will have
> > minimum contextual info, e.g. "exe=... hostname=... ", etc.
> > 
> > I can't think of a valid reason myself, assuming IIUC.
> 
> But even with an empty message, there is still pid, uid, auid, ses, subj
> added by the kernel with its own message type.  I could see a valid type
> of user message created that has no need for any of those fields added
> by audit_log_user_message(), calling audit_send_user_message() directly
> (but mind you, it appears to be deprecated to call it directly).

There is no valid reason. Even allowing just 1 character is also invalid and 
a waste of disk space. But I guess you need to draw the line somewhere.

-Steve



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] audit: check the length of userspace generated audit records

[Paul Moore]

On Mon, Apr 20, 2020 at 5:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> Commit 756125289285 ("audit: always check the netlink payload length
> in audit_receive_msg()") fixed a number of missing message length
> checks, but forgot to check the length of userspace generated audit
> records.  The good news is that you need CAP_AUDIT_WRITE to submit
> userspace audit records, which is generally only given to trusted
> processes, so the impact should be limited.
>
> Cc: stable@vger.kernel.org
> Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c |    3 +++
>  1 file changed, 3 insertions(+)

Merged into audit/stable-5.7; I'll send it up to Linus later this week.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index b69c8b460341..87f31bf1f0a0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>         case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
>                 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
>                         return 0;
> +               /* exit early if there isn't at least one character to print */
> +               if (data_len < 2)
> +                       return -EINVAL;
>
>                 err = audit_filter(msg_type, AUDIT_FILTER_USER);
>                 if (err == 1) { /* match or error */

-- 
paul moore
www.paul-moore.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit