diff options
author | Paul Moore <paul@paul-moore.com> | 2020-04-20 16:24:34 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-04-29 16:31:31 +0200 |
commit | 64c0c4832465cbef373b9f876511e1a4590c544d (patch) | |
tree | dc87002a0ffacbb547a12051d5d8882bb02b289b | |
parent | ddbfab6a4a85435eb10e08886038d0a814ba16a6 (diff) | |
download | linux-stable-64c0c4832465cbef373b9f876511e1a4590c544d.tar.gz linux-stable-64c0c4832465cbef373b9f876511e1a4590c544d.tar.bz2 linux-stable-64c0c4832465cbef373b9f876511e1a4590c544d.zip |
audit: check the length of userspace generated audit records
commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream.
Commit 756125289285 ("audit: always check the netlink payload length
in audit_receive_msg()") fixed a number of missing message length
checks, but forgot to check the length of userspace generated audit
records. The good news is that you need CAP_AUDIT_WRITE to submit
userspace audit records, which is generally only given to trusted
processes, so the impact should be limited.
Cc: stable@vger.kernel.org
Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | kernel/audit.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 1f08c38e604a..7afec5f43c63 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1331,6 +1331,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: if (!audit_enabled && msg_type != AUDIT_USER_AVC) return 0; + /* exit early if there isn't at least one character to print */ + if (data_len < 2) + return -EINVAL; err = audit_filter(msg_type, AUDIT_FILTER_USER); if (err == 1) { /* match or error */ |