On 4/20/20 5:29 PM, Paul Moore wrote:
On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs <rgb@redhat.com> wrote:On 2020-04-20 17:36, Paul Moore wrote:Commit 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") fixed a number of missing message length checks, but forgot to check the length of userspace generated audit records. The good news is that you need CAP_AUDIT_WRITE to submit userspace audit records, which is generally only given to trusted processes, so the impact should be limited. Cc: stable@vger.kernel.org Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com> --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index b69c8b460341..87f31bf1f0a0 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: if (!audit_enabled && msg_type != AUDIT_USER_AVC) return 0; + /* exit early if there isn't at least one character to print */ + if (data_len < 2) + return -EINVAL;Don't we want to issue the record even if the message is empty? If a len of 1 is passed in, it will properly set str[0] = '\0' and str points to a location with a null that prints nothing between the single quotes of "msg=''". So, I think that should be "if (data_len < 1)". Am I missing something?I've got no problem with allowing an empty message so long as there is a valid use for such a message. Can anyone think of a valid reason for having an empty userspace generated record?
Not really. Using the libaudit interface(s), even if an empty message string is sent, and handled in the lib call(s), I believe it will have minimum contextual info, e.g. "exe=... hostname=... ", etc.
I can't think of a valid reason myself, assuming IIUC.
LCB
-- LC Bruzenak MagitekLTD