[PATCH] audit: always check the netlink payload length in audit_receive_msg()

Mon Feb 24 22:55:43 UTC 2020

On Mon, Feb 24, 2020 at 5:53 PM Paul Moore <paul at paul-moore.com> wrote:
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: stable at vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747403 at syzkaller.appspotmail.com
> Reported-by: syzbot+e4b12d8d202701f08b6d at syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  kernel/audit.c |   43 +++++++++++++++++++++++--------------------
>  1 file changed, 23 insertions(+), 20 deletions(-)

...

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 17b0d523afb3..6e8b176bdb68 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1314,11 +1314,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>                 if (err)
>                         return err;
>                 break;
> -       case AUDIT_SET_FEATURE:
> -               err = audit_set_feature(skb);
> +       case AUDIT_SET_FEATURE: {
> +               if (data_len < sizeof(struct audit_features))
> +                       return -EINVAL;
> +               err = audit_set_feature(data);
>                 if (err)
>                         return err;
>                 break;
> +       }

Ooops, these braces are an artifact from a previous revision.
Consider them removed.

-- 
paul moore
www.paul-moore.com