Re: [PATCH] audit: always check the netlink payload length in audit_receive_msg()
On Mon, Feb 24, 2020 at 5:53 PM Paul Moore <paul(a)paul-moore.com> wrote:
This patch ensures that we always check the netlink payload length
in audit_receive_msg() before we take any action on the payload
itself.
Cc: stable(a)vger.kernel.org
Reported-by: syzbot+399c44bf1f43b8747403(a)syzkaller.appspotmail.com
Reported-by: syzbot+e4b12d8d202701f08b6d(a)syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/audit.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)
...
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..6e8b176bdb68 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1314,11 +1314,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr
*nlh)
if (err)
return err;
break;
- case AUDIT_SET_FEATURE:
- err = audit_set_feature(skb);
+ case AUDIT_SET_FEATURE: {
+ if (data_len < sizeof(struct audit_features))
+ return -EINVAL;
+ err = audit_set_feature(data);
if (err)
return err;
break;
+ }
Ooops, these braces are an artifact from a previous revision.
Consider them removed.
--
paul moore
www.paul-moore.com