From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com,
syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com,
Paul Moore <paul@paul-moore.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 39/72] audit: always check the netlink payload length in audit_receive_msg()
Date: Tue, 10 Mar 2020 13:38:52 +0100 [thread overview]
Message-ID: <20200310123611.306534518@linuxfoundation.org> (raw)
In-Reply-To: <20200310123601.053680753@linuxfoundation.org>
From: Paul Moore <paul@paul-moore.com>
[ Upstream commit 756125289285f6e55a03861bf4b6257aa3d19a93 ]
This patch ensures that we always check the netlink payload length
in audit_receive_msg() before we take any action on the payload
itself.
Cc: stable@vger.kernel.org
Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com
Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit.c | 40 +++++++++++++++++++++-------------------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index bdf0cf463815e..84c445db5fe1e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -753,13 +753,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
audit_log_end(ab);
}
-static int audit_set_feature(struct sk_buff *skb)
+static int audit_set_feature(struct audit_features *uaf)
{
- struct audit_features *uaf;
int i;
BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
- uaf = nlmsg_data(nlmsg_hdr(skb));
/* if there is ever a version 2 we should handle that here */
@@ -815,6 +813,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 seq;
void *data;
+ int data_len;
int err;
struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
@@ -838,6 +837,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
seq = nlh->nlmsg_seq;
data = nlmsg_data(nlh);
+ data_len = nlmsg_len(nlh);
switch (msg_type) {
case AUDIT_GET: {
@@ -859,7 +859,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct audit_status s;
memset(&s, 0, sizeof(s));
/* guard against past and future API changes */
- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
+ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
if (s.mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(s.enabled);
if (err < 0)
@@ -908,7 +908,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return err;
break;
case AUDIT_SET_FEATURE:
- err = audit_set_feature(skb);
+ if (data_len < sizeof(struct audit_features))
+ return -EINVAL;
+ err = audit_set_feature(data);
if (err)
return err;
break;
@@ -920,6 +922,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
err = audit_filter_user(msg_type);
if (err == 1) { /* match or error */
+ char *str = data;
+
err = 0;
if (msg_type == AUDIT_USER_TTY) {
err = tty_audit_push_current();
@@ -928,19 +932,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
mutex_unlock(&audit_cmd_mutex);
audit_log_common_recv_msg(&ab, msg_type);
- if (msg_type != AUDIT_USER_TTY)
+ if (msg_type != AUDIT_USER_TTY) {
+ /* ensure NULL termination */
+ str[data_len - 1] = '\0';
audit_log_format(ab, " msg='%.*s'",
AUDIT_MESSAGE_TEXT_MAX,
- (char *)data);
- else {
- int size;
-
+ str);
+ } else {
audit_log_format(ab, " data=");
- size = nlmsg_len(nlh);
- if (size > 0 &&
- ((unsigned char *)data)[size - 1] == '\0')
- size--;
- audit_log_n_untrustedstring(ab, data, size);
+ if (data_len > 0 && str[data_len - 1] == '\0')
+ data_len--;
+ audit_log_n_untrustedstring(ab, str, data_len);
}
audit_set_portid(ab, NETLINK_CB(skb).portid);
audit_log_end(ab);
@@ -949,7 +951,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
case AUDIT_ADD_RULE:
case AUDIT_DEL_RULE:
- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
+ if (data_len < sizeof(struct audit_rule_data))
return -EINVAL;
if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
@@ -958,7 +960,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EPERM;
}
err = audit_rule_change(msg_type, NETLINK_CB(skb).portid,
- seq, data, nlmsg_len(nlh));
+ seq, data, data_len);
break;
case AUDIT_LIST_RULES:
err = audit_list_rules_send(skb, seq);
@@ -972,7 +974,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_MAKE_EQUIV: {
void *bufp = data;
u32 sizes[2];
- size_t msglen = nlmsg_len(nlh);
+ size_t msglen = data_len;
char *old, *new;
err = -EINVAL;
@@ -1049,7 +1051,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
memset(&s, 0, sizeof(s));
/* guard against past and future API changes */
- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
+ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
/* check if new data is valid */
if ((s.enabled != 0 && s.enabled != 1) ||
(s.log_passwd != 0 && s.log_passwd != 1))
--
2.20.1
next prev parent reply other threads:[~2020-03-10 12:42 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-10 12:38 [PATCH 4.4 00/72] 4.4.216-stable review Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 01/72] iwlwifi: pcie: fix rb_allocator workqueue allocation Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 02/72] ext4: fix potential race between online resizing and write operations Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 03/72] ext4: fix potential race between s_flex_groups online resizing and access Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 04/72] ext4: fix potential race between s_group_info " Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 05/72] ipmi:ssif: Handle a possible NULL pointer reference Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 06/72] mac80211: consider more elements in parsing CRC Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 07/72] cfg80211: check wiphy driver existence for drvinfo report Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 08/72] cifs: Fix mode output in debugging statements Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 09/72] cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 10/72] sysrq: Restore original console_loglevel when sysrq disabled Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 11/72] sysrq: Remove duplicated sysrq message Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 12/72] net: fib_rules: Correctly set table field when table number exceeds 8 bits Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 13/72] net: phy: restore mdio regs in the iproc mdio driver Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 14/72] ipv6: Fix nlmsg_flags when splitting a multipath route Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 15/72] ipv6: Fix route replacement with dev-only route Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 16/72] sctp: move the format error check out of __sctp_sf_do_9_1_abort Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 17/72] nfc: pn544: Fix occasional HW initialization failure Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 18/72] net: sched: correct flower port blocking Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 19/72] ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 20/72] audit: fix error handling in audit_data_to_entry() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 21/72] HID: core: fix off-by-one memset in hid_report_raw_event() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 22/72] HID: core: increase HID report buffer size to 8KiB Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 23/72] HID: hiddev: Fix race in in hiddev_disconnect() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 24/72] MIPS: VPE: Fix a double free and a memory leak in release_vpe() Greg Kroah-Hartman
2020-03-10 12:38 ` Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 25/72] i2c: jz4780: silence log flood on txabrt Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 26/72] ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66 Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 27/72] include/linux/bitops.h: introduce BITS_PER_TYPE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 28/72] net: netlink: cap max groups which will be considered in netlink_bind() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 29/72] namei: only return -ECHILD from follow_dotdot_rcu() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 30/72] KVM: Check for a bad hva before dropping into the ghc slow path Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 31/72] slip: stop double free sl->dev in slip_open Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 32/72] mm: make page ref count overflow check tighter and more explicit Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 33/72] mm: add try_get_page() helper function Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 34/72] mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 35/72] mm, gup: ensure real head page is ref-counted when using hugepages Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 36/72] mm: prevent get_user_pages() from overflowing page refcount Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 37/72] pipe: add pipe_buf_get() helper Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 38/72] fs: prevent page refcount overflow in pipe_buf_get Greg Kroah-Hartman
2020-03-10 12:38 ` Greg Kroah-Hartman [this message]
2020-03-10 12:38 ` [PATCH 4.4 40/72] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 41/72] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 42/72] usb: gadget: serial: fix Tx stall after buffer overflow Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 43/72] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 44/72] drm/msm/dsi: save pll state before dsi host is powered off Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 45/72] net: ks8851-ml: Remove 8-bit bus accessors Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 4.4 46/72] net: ks8851-ml: Fix 16-bit data access Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 47/72] net: ks8851-ml: Fix 16-bit IO operation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 48/72] watchdog: da9062: do not ping the hw during stop() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 49/72] s390/cio: cio_ignore_proc_seq_next should increase position index Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 50/72] cifs: dont leak -EAGAIN for stat() during reconnect Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 51/72] usb: storage: Add quirk for Samsung Fit flash Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 52/72] usb: quirks: add NO_LPM quirk for Logitech Screen Share Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 53/72] usb: core: hub: do error out if usb_autopm_get_interface() fails Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 54/72] usb: core: port: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 55/72] vgacon: Fix a UAF in vgacon_invert_region Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 56/72] fat: fix uninit-memory access for partial initialized inode Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 57/72] vt: selection, close sel_buffer race Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 58/72] vt: selection, push console lock down Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 59/72] vt: selection, push sel_lock up Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 60/72] dmaengine: tegra-apb: Fix use-after-free Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 61/72] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 62/72] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 63/72] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 64/72] ASoC: dapm: Correct DAPM handling of active widgets during shutdown Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 65/72] RDMA/iwcm: Fix iwcm work deallocation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 66/72] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 67/72] ARM: imx: build v7_cpu_resume() unconditionally Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 68/72] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 69/72] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 70/72] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 71/72] dm cache: fix a crash due to incorrect work item cancelling Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 4.4 72/72] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async Greg Kroah-Hartman
2020-03-10 20:07 ` [PATCH 4.4 00/72] 4.4.216-stable review Jon Hunter
2020-03-10 20:07 ` Jon Hunter
2020-03-10 21:56 ` Guenter Roeck
2020-03-10 22:01 ` shuah
2020-03-11 8:20 ` Naresh Kamboju
2020-03-11 10:27 ` Chris Paterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200310123611.306534518@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com \
--cc=syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.