audit: check the length of userspace generated audit records
Commit7561252892
("audit: always check the netlink payload length in audit_receive_msg()") fixed a number of missing message length checks, but forgot to check the length of userspace generated audit records. The good news is that you need CAP_AUDIT_WRITE to submit userspace audit records, which is generally only given to trusted processes, so the impact should be limited. Cc: stable@vger.kernel.org Fixes:7561252892
("audit: always check the netlink payload length in audit_receive_msg()") Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
ae83d0b416
commit
763dafc520
|
@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
|
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
|
||||||
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
||||||
return 0;
|
return 0;
|
||||||
|
/* exit early if there isn't at least one character to print */
|
||||||
|
if (data_len < 2)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
err = audit_filter(msg_type, AUDIT_FILTER_USER);
|
err = audit_filter(msg_type, AUDIT_FILTER_USER);
|
||||||
if (err == 1) { /* match or error */
|
if (err == 1) { /* match or error */
|
||||||
|
|
Loading…
Reference in New Issue