From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 4.4 20/72] audit: fix error handling in audit_data_to_entry()
Date: Tue, 10 Mar 2020 13:38:33 +0100 [thread overview]
Message-ID: <20200310123606.607697839@linuxfoundation.org> (raw)
In-Reply-To: <20200310123601.053680753@linuxfoundation.org>
From: Paul Moore <paul@paul-moore.com>
commit 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb upstream.
Commit 219ca39427bf ("audit: use union for audit_field values since
they are mutually exclusive") combined a number of separate fields in
the audit_field struct into a single union. Generally this worked
just fine because they are generally mutually exclusive.
Unfortunately in audit_data_to_entry() the overlap can be a problem
when a specific error case is triggered that causes the error path
code to attempt to cleanup an audit_field struct and the cleanup
involves attempting to free a stored LSM string (the lsm_str field).
Currently the code always has a non-NULL value in the
audit_field.lsm_str field as the top of the for-loop transfers a
value into audit_field.val (both .lsm_str and .val are part of the
same union); if audit_data_to_entry() fails and the audit_field
struct is specified to contain a LSM string, but the
audit_field.lsm_str has not yet been properly set, the error handling
code will attempt to free the bogus audit_field.lsm_str value that
was set with audit_field.val at the top of the for-loop.
This patch corrects this by ensuring that the audit_field.val is only
set when needed (it is cleared when the audit_field struct is
allocated with kcalloc()). It also corrects a few other issues to
ensure that in case of error the proper error code is returned.
Cc: stable@vger.kernel.org
Fixes: 219ca39427bf ("audit: use union for audit_field values since they are mutually exclusive")
Reported-by: syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/auditfilter.c | 71 ++++++++++++++++++++++++++++-----------------------
1 file changed, 39 insertions(+), 32 deletions(-)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -434,6 +434,7 @@ static struct audit_entry *audit_data_to
bufp = data->buf;
for (i = 0; i < data->field_count; i++) {
struct audit_field *f = &entry->rule.fields[i];
+ u32 f_val;
err = -EINVAL;
@@ -442,12 +443,12 @@ static struct audit_entry *audit_data_to
goto exit_free;
f->type = data->fields[i];
- f->val = data->values[i];
+ f_val = data->values[i];
/* Support legacy tests for a valid loginuid */
- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
+ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) {
f->type = AUDIT_LOGINUID_SET;
- f->val = 0;
+ f_val = 0;
entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
}
@@ -463,7 +464,7 @@ static struct audit_entry *audit_data_to
case AUDIT_SUID:
case AUDIT_FSUID:
case AUDIT_OBJ_UID:
- f->uid = make_kuid(current_user_ns(), f->val);
+ f->uid = make_kuid(current_user_ns(), f_val);
if (!uid_valid(f->uid))
goto exit_free;
break;
@@ -472,11 +473,12 @@ static struct audit_entry *audit_data_to
case AUDIT_SGID:
case AUDIT_FSGID:
case AUDIT_OBJ_GID:
- f->gid = make_kgid(current_user_ns(), f->val);
+ f->gid = make_kgid(current_user_ns(), f_val);
if (!gid_valid(f->gid))
goto exit_free;
break;
case AUDIT_ARCH:
+ f->val = f_val;
entry->rule.arch_f = f;
break;
case AUDIT_SUBJ_USER:
@@ -489,11 +491,13 @@ static struct audit_entry *audit_data_to
case AUDIT_OBJ_TYPE:
case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH:
- str = audit_unpack_string(&bufp, &remain, f->val);
- if (IS_ERR(str))
+ str = audit_unpack_string(&bufp, &remain, f_val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
goto exit_free;
- entry->rule.buflen += f->val;
-
+ }
+ entry->rule.buflen += f_val;
+ f->lsm_str = str;
err = security_audit_rule_init(f->type, f->op, str,
(void **)&f->lsm_rule);
/* Keep currently invalid fields around in case they
@@ -502,68 +506,71 @@ static struct audit_entry *audit_data_to
pr_warn("audit rule for LSM \'%s\' is invalid\n",
str);
err = 0;
- }
- if (err) {
- kfree(str);
+ } else if (err)
goto exit_free;
- } else
- f->lsm_str = str;
break;
case AUDIT_WATCH:
- str = audit_unpack_string(&bufp, &remain, f->val);
- if (IS_ERR(str))
+ str = audit_unpack_string(&bufp, &remain, f_val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
goto exit_free;
- entry->rule.buflen += f->val;
-
- err = audit_to_watch(&entry->rule, str, f->val, f->op);
+ }
+ err = audit_to_watch(&entry->rule, str, f_val, f->op);
if (err) {
kfree(str);
goto exit_free;
}
+ entry->rule.buflen += f_val;
break;
case AUDIT_DIR:
- str = audit_unpack_string(&bufp, &remain, f->val);
- if (IS_ERR(str))
+ str = audit_unpack_string(&bufp, &remain, f_val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
goto exit_free;
- entry->rule.buflen += f->val;
-
+ }
err = audit_make_tree(&entry->rule, str, f->op);
kfree(str);
if (err)
goto exit_free;
+ entry->rule.buflen += f_val;
break;
case AUDIT_INODE:
+ f->val = f_val;
err = audit_to_inode(&entry->rule, f);
if (err)
goto exit_free;
break;
case AUDIT_FILTERKEY:
- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
+ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
goto exit_free;
- str = audit_unpack_string(&bufp, &remain, f->val);
- if (IS_ERR(str))
+ str = audit_unpack_string(&bufp, &remain, f_val);
+ if (IS_ERR(str)) {
+ err = PTR_ERR(str);
goto exit_free;
- entry->rule.buflen += f->val;
+ }
+ entry->rule.buflen += f_val;
entry->rule.filterkey = str;
break;
case AUDIT_EXE:
- if (entry->rule.exe || f->val > PATH_MAX)
+ if (entry->rule.exe || f_val > PATH_MAX)
goto exit_free;
- str = audit_unpack_string(&bufp, &remain, f->val);
+ str = audit_unpack_string(&bufp, &remain, f_val);
if (IS_ERR(str)) {
err = PTR_ERR(str);
goto exit_free;
}
- entry->rule.buflen += f->val;
-
- audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
+ audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
if (IS_ERR(audit_mark)) {
kfree(str);
err = PTR_ERR(audit_mark);
goto exit_free;
}
+ entry->rule.buflen += f_val;
entry->rule.exe = audit_mark;
break;
+ default:
+ f->val = f_val;
+ break;
}
}
next prev parent reply other threads:[~2020-03-10 12:42 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-10 12:38 [PATCH 4.4 00/72] 4.4.216-stable review Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 01/72] iwlwifi: pcie: fix rb_allocator workqueue allocation Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 02/72] ext4: fix potential race between online resizing and write operations Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 03/72] ext4: fix potential race between s_flex_groups online resizing and access Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 04/72] ext4: fix potential race between s_group_info " Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 05/72] ipmi:ssif: Handle a possible NULL pointer reference Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 06/72] mac80211: consider more elements in parsing CRC Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 07/72] cfg80211: check wiphy driver existence for drvinfo report Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 08/72] cifs: Fix mode output in debugging statements Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 09/72] cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 10/72] sysrq: Restore original console_loglevel when sysrq disabled Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 11/72] sysrq: Remove duplicated sysrq message Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 12/72] net: fib_rules: Correctly set table field when table number exceeds 8 bits Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 13/72] net: phy: restore mdio regs in the iproc mdio driver Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 14/72] ipv6: Fix nlmsg_flags when splitting a multipath route Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 15/72] ipv6: Fix route replacement with dev-only route Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 16/72] sctp: move the format error check out of __sctp_sf_do_9_1_abort Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 17/72] nfc: pn544: Fix occasional HW initialization failure Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 18/72] net: sched: correct flower port blocking Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 19/72] ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() Greg Kroah-Hartman
2020-03-10 12:38 ` Greg Kroah-Hartman [this message]
2020-03-10 12:38 ` [PATCH 4.4 21/72] HID: core: fix off-by-one memset in hid_report_raw_event() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 22/72] HID: core: increase HID report buffer size to 8KiB Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 23/72] HID: hiddev: Fix race in in hiddev_disconnect() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 24/72] MIPS: VPE: Fix a double free and a memory leak in release_vpe() Greg Kroah-Hartman
2020-03-10 12:38 ` Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 25/72] i2c: jz4780: silence log flood on txabrt Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 26/72] ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66 Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 27/72] include/linux/bitops.h: introduce BITS_PER_TYPE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 28/72] net: netlink: cap max groups which will be considered in netlink_bind() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 29/72] namei: only return -ECHILD from follow_dotdot_rcu() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 30/72] KVM: Check for a bad hva before dropping into the ghc slow path Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 31/72] slip: stop double free sl->dev in slip_open Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 32/72] mm: make page ref count overflow check tighter and more explicit Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 33/72] mm: add try_get_page() helper function Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 34/72] mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 35/72] mm, gup: ensure real head page is ref-counted when using hugepages Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 36/72] mm: prevent get_user_pages() from overflowing page refcount Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 37/72] pipe: add pipe_buf_get() helper Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 38/72] fs: prevent page refcount overflow in pipe_buf_get Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 39/72] audit: always check the netlink payload length in audit_receive_msg() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 40/72] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 41/72] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 42/72] usb: gadget: serial: fix Tx stall after buffer overflow Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 43/72] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 44/72] drm/msm/dsi: save pll state before dsi host is powered off Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 45/72] net: ks8851-ml: Remove 8-bit bus accessors Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 46/72] net: ks8851-ml: Fix 16-bit data access Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 47/72] net: ks8851-ml: Fix 16-bit IO operation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 48/72] watchdog: da9062: do not ping the hw during stop() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 49/72] s390/cio: cio_ignore_proc_seq_next should increase position index Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 50/72] cifs: dont leak -EAGAIN for stat() during reconnect Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 51/72] usb: storage: Add quirk for Samsung Fit flash Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 52/72] usb: quirks: add NO_LPM quirk for Logitech Screen Share Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 53/72] usb: core: hub: do error out if usb_autopm_get_interface() fails Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 54/72] usb: core: port: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 55/72] vgacon: Fix a UAF in vgacon_invert_region Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 56/72] fat: fix uninit-memory access for partial initialized inode Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 57/72] vt: selection, close sel_buffer race Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 58/72] vt: selection, push console lock down Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 59/72] vt: selection, push sel_lock up Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 60/72] dmaengine: tegra-apb: Fix use-after-free Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 61/72] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 62/72] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 63/72] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 64/72] ASoC: dapm: Correct DAPM handling of active widgets during shutdown Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 65/72] RDMA/iwcm: Fix iwcm work deallocation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 66/72] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 67/72] ARM: imx: build v7_cpu_resume() unconditionally Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 68/72] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 69/72] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 70/72] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 71/72] dm cache: fix a crash due to incorrect work item cancelling Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 72/72] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async Greg Kroah-Hartman
2020-03-10 20:07 ` [PATCH 4.4 00/72] 4.4.216-stable review Jon Hunter
2020-03-10 20:07 ` Jon Hunter
2020-03-10 21:56 ` Guenter Roeck
2020-03-10 22:01 ` shuah
2020-03-11 8:20 ` Naresh Kamboju
2020-03-11 10:27 ` Chris Paterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200310123606.607697839@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.