[PATCH] audit: check the length of userspace generated audit records

[Richard Guy Briggs]

On 2020-04-20 17:36, Paul Moore wrote:
> Commit 756125289285 ("audit: always check the netlink payload length
> in audit_receive_msg()") fixed a number of missing message length
> checks, but forgot to check the length of userspace generated audit
> records.  The good news is that you need CAP_AUDIT_WRITE to submit
> userspace audit records, which is generally only given to trusted
> processes, so the impact should be limited.
> 
> Cc: stable at vger.kernel.org
> Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
> Reported-by: syzbot+49e69b4d71a420ceda3e at syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  kernel/audit.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b69c8b460341..87f31bf1f0a0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
>  		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
>  			return 0;
> +		/* exit early if there isn't at least one character to print */
> +		if (data_len < 2)
> +			return -EINVAL;

Don't we want to issue the record even if the message is empty?  If a
len of 1 is passed in, it will properly set str[0] = '\0' and str points
to a location with a null that prints nothing between the single quotes
of "msg=''".  So, I think that should be "if (data_len < 1)".

Am I missing something?

>  		err = audit_filter(msg_type, AUDIT_FILTER_USER);
>  		if (err == 1) { /* match or error */
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635