On Mon, Apr 20, 2020 at 5:36 PM Paul Moore <[email protected]> wrote:
>
> Commit 756125289285 ("audit: always check the netlink payload length
> in audit_receive_msg()") fixed a number of missing message length
> checks, but forgot to check the length of userspace generated audit
> records. The good news is that you need CAP_AUDIT_WRITE to submit
> userspace audit records, which is generally only given to trusted
> processes, so the impact should be limited.
>
> Cc: [email protected]
> Fixes: 756125289285 ("audit: always check the netlink payload length in
> audit_receive_msg()")
> Reported-by: [email protected]
> Signed-off-by: Paul Moore <[email protected]>
> ---
> kernel/audit.c | 3 +++
> 1 file changed, 3 insertions(+)
Merged into audit/stable-5.7; I'll send it up to Linus later this week.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b69c8b460341..87f31bf1f0a0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh)
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> return 0;
> + /* exit early if there isn't at least one character to print
> */
> + if (data_len < 2)
> + return -EINVAL;
>
> err = audit_filter(msg_type, AUDIT_FILTER_USER);
> if (err == 1) { /* match or error */
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
