On Monday, April 20, 2020 8:18:06 PM EDT Richard Guy Briggs wrote: > On 2020-04-20 17:56, Lenny Bruzenak wrote: > > On 4/20/20 5:29 PM, Paul Moore wrote: > > > On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs<[email protected]> wrote: > > > > On 2020-04-20 17:36, Paul Moore wrote: > > > > > Commit 756125289285 ("audit: always check the netlink payload > > > > > length > > > > > in audit_receive_msg()") fixed a number of missing message length > > > > > checks, but forgot to check the length of userspace generated audit > > > > > records. The good news is that you need CAP_AUDIT_WRITE to submit > > > > > userspace audit records, which is generally only given to trusted > > > > > processes, so the impact should be limited. > > > > > > > > > > Cc:[email protected] > > > > > Fixes: 756125289285 ("audit: always check the netlink payload > > > > > length in audit_receive_msg()") > > > > > Reported-by:[email protected] > > > > > Signed-off-by: Paul Moore<[email protected]> > > > > > --- > > > > > > > > > > kernel/audit.c | 3 +++ > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > > > index b69c8b460341..87f31bf1f0a0 100644 > > > > > --- a/kernel/audit.c > > > > > +++ b/kernel/audit.c > > > > > @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff > > > > > *skb, struct nlmsghdr *nlh)> > > > > > > > > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: > > > > > if (!audit_enabled && msg_type != AUDIT_USER_AVC) > > > > > > > > > > return 0; > > > > > > > > > > + /* exit early if there isn't at least one character > > > > > to print */ + if (data_len < 2) > > > > > + return -EINVAL; > > > > > > > > Don't we want to issue the record even if the message is empty? If a > > > > len of 1 is passed in, it will properly set str[0] = '\0' and str > > > > points > > > > to a location with a null that prints nothing between the single > > > > quotes > > > > of "msg=''". So, I think that should be "if (data_len < 1)". > > > > > > > > Am I missing something? > > > > > > I've got no problem with allowing an empty message so long as there is > > > a valid use for such a message. Can anyone think of a valid reason > > > for having an empty userspace generated record? > > > > Not really. Using the libaudit interface(s), even if an empty message > > string is sent, and handled in the lib call(s), I believe it will have > > minimum contextual info, e.g. "exe=... hostname=... ", etc. > > > > I can't think of a valid reason myself, assuming IIUC. > > But even with an empty message, there is still pid, uid, auid, ses, subj > added by the kernel with its own message type. I could see a valid type > of user message created that has no need for any of those fields added > by audit_log_user_message(), calling audit_send_user_message() directly > (but mind you, it appears to be deprecated to call it directly).
There is no valid reason. Even allowing just 1 character is also invalid and a waste of disk space. But I guess you need to draw the line somewhere. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
