audit: check the length of userspace generated audit records

commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream. Commit 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") fixed a number of missing message length checks, but forgot to check the length of userspace generated audit records. The good news is that you need CAP_AUDIT_WRITE to submit userspace audit records, which is generally only given to trusted processes, so the impact should be limited. Cc: stable@vger.kernel.org Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Paul Moore <paul@paul-moore.com> 2020-04-20 16:24:34 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-05-02 17:20:48 +0200
commit: 1a8abec91244735f760b21f0a4ba93f62cab3483 (patch)
tree: 3bfc83fd6f9805dc10a86efbe8af4e7943630e2d /kernel
parent: fda668f23518b3e458e9cf03d12d968852c27ac1 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 84c445db5fe1..b685672def35 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -919,6 +919,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
 			return 0;
+		/* exit early if there isn't at least one character to print */
+		if (data_len < 2)
+			return -EINVAL;
 
 		err = audit_filter_user(msg_type);
 		if (err == 1) { /* match or error */
author	Paul Moore <paul@paul-moore.com>	2020-04-20 16:24:34 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-05-02 17:20:48 +0200
commit	1a8abec91244735f760b21f0a4ba93f62cab3483 (patch)
tree	3bfc83fd6f9805dc10a86efbe8af4e7943630e2d /kernel
parent	fda668f23518b3e458e9cf03d12d968852c27ac1 (diff)