From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 4.19 107/131] audit: check the length of userspace generated audit records
Date: Tue, 28 Apr 2020 20:25:19 +0200 [thread overview]
Message-ID: <20200428182238.626181804@linuxfoundation.org> (raw)
In-Reply-To: <20200428182224.822179290@linuxfoundation.org>
From: Paul Moore <paul@paul-moore.com>
commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream.
Commit 756125289285 ("audit: always check the netlink payload length
in audit_receive_msg()") fixed a number of missing message length
checks, but forgot to check the length of userspace generated audit
records. The good news is that you need CAP_AUDIT_WRITE to submit
userspace audit records, which is generally only given to trusted
processes, so the impact should be limited.
Cc: stable@vger.kernel.org
Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1331,6 +1331,9 @@ static int audit_receive_msg(struct sk_b
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
+ /* exit early if there isn't at least one character to print */
+ if (data_len < 2)
+ return -EINVAL;
err = audit_filter(msg_type, AUDIT_FILTER_USER);
if (err == 1) { /* match or error */
next prev parent reply other threads:[~2020-04-28 18:49 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 18:23 [PATCH 4.19 000/131] 4.19.119-rc1 review Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 001/131] ext4: fix extent_status fragmentation for plain files Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 002/131] drm/msm: Use the correct dma_sync calls harder Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 003/131] bpftool: Fix printing incorrect pointer in btf_dump_ptr Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 004/131] crypto: mxs-dcp - make symbols sha1_null_hash and sha256_null_hash static Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 005/131] vti4: removed duplicate log message Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 006/131] arm64: Add part number for Neoverse N1 Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 007/131] arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 008/131] arm64: Fake the IminLine size " Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 009/131] arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 010/131] arm64: Silence clang warning on mismatched value/register sizes Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 011/131] watchdog: reset last_hw_keepalive time at start Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 012/131] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 013/131] scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 014/131] ceph: return ceph_mdsc_do_request() errors from __get_parent() Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 015/131] ceph: dont skip updating wanted caps when cap is stale Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 016/131] pwm: rcar: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 017/131] scsi: iscsi: Report unbind session event when the target has been removed Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 018/131] ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 019/131] nvme: fix deadlock caused by ANA update wrong locking Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 020/131] kernel/gcov/fs.c: gcov_seq_next() should increase position index Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 021/131] selftests: kmod: fix handling test numbers above 9 Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 022/131] ipc/util.c: sysvipc_find_ipc() should increase position index Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 023/131] kconfig: qconf: Fix a few alignment issues Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 024/131] s390/cio: avoid duplicated ADD uevents Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 025/131] loop: Better discard support for block devices Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 026/131] Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled" Greg Kroah-Hartman
2020-04-28 18:23 ` [PATCH 4.19 027/131] pwm: renesas-tpu: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 028/131] pwm: bcm2835: Dynamically allocate base Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 029/131] perf/core: Disable page faults when getting phys address Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 030/131] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN MPWIN895CL tablet Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 031/131] xhci: Ensure link state is U3 after setting USB_SS_PORT_LS_U3 Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 032/131] drm/amd/display: Not doing optimize bandwidth if flip pending Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 033/131] tracing/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 034/131] virtio-blk: improve virtqueue error to BLK_STS Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 035/131] scsi: smartpqi: fix call trace in device discovery Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 036/131] PCI/ASPM: Allow re-enabling Clock PM Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 037/131] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 038/131] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 039/131] blktrace: Protect q->blk_trace with RCU Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 040/131] blktrace: fix dereference after null check Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 041/131] f2fs: fix to avoid memory leakage in f2fs_listxattr Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 042/131] KVM: VMX: Zero out *all* general purpose registers after VM-Exit Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 043/131] KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 044/131] KVM: Introduce a new guest mapping API Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 045/131] kvm: fix compilation on aarch64 Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 046/131] kvm: fix compilation on s390 Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 047/131] kvm: fix compile on s390 part 2 Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 048/131] KVM: Properly check if "page" is valid in kvm_vcpu_unmap Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 049/131] x86/kvm: Introduce kvm_(un)map_gfn() Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 050/131] x86/kvm: Cache gfn to pfn translation Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 051/131] x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 052/131] x86/KVM: Clean up hosts steal time structure Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 053/131] cxgb4: fix adapter crash due to wrong MC size Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 054/131] cxgb4: fix large delays in PTP synchronization Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 055/131] ipv6: fix restrict IPV6_ADDRFORM operation Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 056/131] macsec: avoid to set wrong mtu Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 057/131] macvlan: fix null dereference in macvlan_device_event() Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 058/131] net: bcmgenet: correct per TX/RX ring statistics Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 059/131] net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 060/131] net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 061/131] net/x25: Fix x25_neigh refcnt leak when receiving frame Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 062/131] sched: etf: do not assume all sockets are full blown Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 063/131] tcp: cache line align MAX_TCP_HEADER Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 064/131] team: fix hang in team_mode_get() Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 065/131] vrf: Fix IPv6 with qdisc and xfrm Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 066/131] net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 067/131] net: dsa: b53: Fix ARL register definitions Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 068/131] net: dsa: b53: Rework ARL bin logic Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 069/131] net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 070/131] xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 071/131] vrf: Check skb for XFRM_TRANSFORMED flag Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 072/131] mlxsw: Fix some IS_ERR() vs NULL bugs Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 073/131] KEYS: Avoid false positive ENOMEM error on key read Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 074/131] ALSA: hda: Remove ASUS ROG Zenith from the blacklist Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 075/131] ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 076/131] ALSA: usb-audio: Add connector notifier delegation Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 077/131] iio: core: remove extra semi-colon from devm_iio_device_register() macro Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 078/131] iio: st_sensors: rely on odr mask to know if odr can be set Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 079/131] iio: adc: stm32-adc: fix sleep in atomic context Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 080/131] iio: xilinx-xadc: Fix ADC-B powerdown Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 081/131] iio: xilinx-xadc: Fix clearing interrupt when enabling trigger Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 082/131] iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 083/131] iio: xilinx-xadc: Make sure not exceed maximum samplerate Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 084/131] fs/namespace.c: fix mountpoint reference counter race Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 085/131] USB: sisusbvga: Change port variable from signed to unsigned Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 086/131] USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE Greg Kroah-Hartman
2020-04-28 18:24 ` [PATCH 4.19 087/131] USB: early: Handle AMDs spec-compliant identifiers, too Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 089/131] USB: hub: Fix handling of connect changes during sleep Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 090/131] vmalloc: fix remap_vmalloc_range() bounds checks Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 091/131] mm/hugetlb: fix a addressing exception caused by huge_pte_offset Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 092/131] mm/ksm: fix NULL pointer dereference when KSM zero page is enabled Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 093/131] tools/vm: fix cross-compile build Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 094/131] ALSA: usx2y: Fix potential NULL dereference Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 095/131] ALSA: hda/realtek - Fix unexpected init_amp override Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 096/131] ALSA: hda/realtek - Add new codec supported for ALC245 Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 097/131] ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 098/131] ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 099/131] tpm/tpm_tis: Free IRQ if probing fails Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 100/131] tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 101/131] KVM: s390: Return last valid slot if approx index is out-of-bounds Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 102/131] KVM: Check validity of resolved slot when searching memslots Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 103/131] KVM: VMX: Enable machine check support for 32bit targets Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 104/131] tty: hvc: fix buffer overflow during hvc_alloc() Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 105/131] tty: rocket, avoid OOB access Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 106/131] usb-storage: Add unusual_devs entry for JMicron JMS566 Greg Kroah-Hartman
2020-04-28 18:25 ` Greg Kroah-Hartman [this message]
2020-04-28 18:25 ` [PATCH 4.19 108/131] ASoC: dapm: fixup dapm kcontrol widget Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 109/131] iwlwifi: pcie: actually release queue memory in TVQM Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 110/131] iwlwifi: mvm: beacon statistics shouldnt go backwards Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 111/131] ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 112/131] powerpc/setup_64: Set cache-line-size based on cache-block-size Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 113/131] staging: comedi: dt2815: fix writing hi byte of analog output Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 114/131] staging: comedi: Fix comedi_device refcnt leak in comedi_open Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 115/131] vt: dont hardcode the mem allocation upper bound Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 116/131] vt: dont use kmalloc() for the unicode screen buffer Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 117/131] staging: vt6656: Dont set RCR_MULTICAST or RCR_BROADCAST by default Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 118/131] staging: vt6656: Fix calling conditions of vnt_set_bss_mode Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 119/131] staging: vt6656: Fix drivers TBTT timing counter Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 120/131] staging: vt6656: Fix pairwise key entry save Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 121/131] staging: vt6656: Power save stop wake_up_count wrap around Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 122/131] cdc-acm: close race betrween suspend() and acm_softint Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 123/131] cdc-acm: introduce a cool down Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 124/131] UAS: no use logging any details in case of ENODEV Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 125/131] UAS: fix deadlock in error handling and PM flushing work Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 126/131] usb: dwc3: gadget: Fix request completion check Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 127/131] usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 128/131] xhci: prevent bus suspend if a roothub port detected a over-current condition Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 129/131] serial: sh-sci: Make sure status register SCxSR is read in correct sequence Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 130/131] xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT Greg Kroah-Hartman
2020-04-28 18:25 ` [PATCH 4.19 131/131] s390/mm: fix page table upgrade vs 2ndary address mode accesses Greg Kroah-Hartman
2020-04-29 0:44 ` [PATCH 4.19 000/131] 4.19.119-rc1 review shuah
2020-04-29 7:13 ` Chris Paterson
2020-04-29 10:16 ` Jon Hunter
2020-04-29 10:58 ` Naresh Kamboju
2020-04-29 14:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200428182238.626181804@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).