[PATCH] audit: always check the netlink payload length in audit_receive_msg()
Richard Guy Briggs
rgb at redhat.com
Tue Mar 17 18:41:03 UTC 2020
On 2020-02-24 17:58, Paul Moore wrote:
> On Mon, Feb 24, 2020 at 5:53 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > This patch ensures that we always check the netlink payload length
> > in audit_receive_msg() before we take any action on the payload
> > itself.
> >
> > Cc: stable at vger.kernel.org
> > Reported-by: syzbot+399c44bf1f43b8747403 at syzkaller.appspotmail.com
> > Reported-by: syzbot+e4b12d8d202701f08b6d at syzkaller.appspotmail.com
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> > kernel/audit.c | 43 +++++++++++++++++++++++--------------------
> > 1 file changed, 23 insertions(+), 20 deletions(-)
>
> ...
>
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 17b0d523afb3..6e8b176bdb68 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1334,26 +1339,24 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > break;
> > }
> > audit_log_user_recv_msg(&ab, msg_type);
> > - if (msg_type != AUDIT_USER_TTY)
> > + if (msg_type != AUDIT_USER_TTY) {
> > + /* ensure NULL termination */
> > + str[data_len - 1] = '\0';
> > audit_log_format(ab, " msg='%.*s'",
> > AUDIT_MESSAGE_TEXT_MAX,
> > - (char *)data);
> > - else {
> > - int size;
> > -
> > + str);
> > + } else {
> > audit_log_format(ab, " data=");
> > - size = nlmsg_len(nlh);
> > - if (size > 0 &&
> > - ((unsigned char *)data)[size - 1] == '\0')
> > - size--;
> > - audit_log_n_untrustedstring(ab, data, size);
> > + if (data_len > 0 && str[data_len - 1] == '\0')
> > + data_len--;
> > + audit_log_n_untrustedstring(ab, data, data_len);
> ^^^^
> ... and it looks like I didn't properly refresh my patch before
> sending, the second arg in the line above is "str" not "data".
Ok, better late than never. This all looks reasonable to me, but I've
not tested it.
> paul moore
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list