From: Paul Moore <paul@paul-moore.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] audit: check the length of userspace generated audit records
Date: Tue, 21 Apr 2020 17:24:48 -0400 [thread overview]
Message-ID: <CAHC9VhQ4FSmLF0UG9mk99t0A5MXYHCZC4+69AFMtoFB0iqNyXA@mail.gmail.com> (raw)
In-Reply-To: <158741856073.246860.5955712228915579.stgit@chester>
On Mon, Apr 20, 2020 at 5:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> Commit 756125289285 ("audit: always check the netlink payload length
> in audit_receive_msg()") fixed a number of missing message length
> checks, but forgot to check the length of userspace generated audit
> records. The good news is that you need CAP_AUDIT_WRITE to submit
> userspace audit records, which is generally only given to trusted
> processes, so the impact should be limited.
>
> Cc: stable@vger.kernel.org
> Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
> kernel/audit.c | 3 +++
> 1 file changed, 3 insertions(+)
Merged into audit/stable-5.7; I'll send it up to Linus later this week.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b69c8b460341..87f31bf1f0a0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> return 0;
> + /* exit early if there isn't at least one character to print */
> + if (data_len < 2)
> + return -EINVAL;
>
> err = audit_filter(msg_type, AUDIT_FILTER_USER);
> if (err == 1) { /* match or error */
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2020-04-21 21:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 21:36 [PATCH] audit: check the length of userspace generated audit records Paul Moore
2020-04-20 21:56 ` Richard Guy Briggs
2020-04-20 23:29 ` Paul Moore
2020-04-20 23:56 ` Lenny Bruzenak
2020-04-21 0:18 ` Richard Guy Briggs
2020-04-21 12:48 ` Steve Grubb
2020-04-21 21:24 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhQ4FSmLF0UG9mk99t0A5MXYHCZC4+69AFMtoFB0iqNyXA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.