Received: by 2002:a17:90a:9307:0:0:0:0 with SMTP id p7csp3961209pjo; Tue, 3 Mar 2020 10:08:23 -0800 (PST) X-Google-Smtp-Source: ADFU+vsGyFfDP/dnYEg/V2jjmyEGK6W4T3RjvX4VRGrYN6z4pw78/OxXS0WEf86NM4L0ZaINxGqK X-Received: by 2002:a05:6808:aba:: with SMTP id r26mr3184411oij.4.1583258903126; Tue, 03 Mar 2020 10:08:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583258903; cv=none; d=google.com; s=arc-20160816; b=UsALTH45V7ZLh4nDtRXQWDzjQ7YNQbrcDme3KyZJiyqYsmhBk75Lc9c0Kn2ImjogUH T+Y5rJ80PDyg9CC1SqizPScYT5rymvULvR7DNJAY6KnElEaB/Sq/ZYhYUuwcyPPeEfFW lO1KxVn92P6KuE9tw4kg/HbhnWnJwg1gM29u9qfZAWGZOXp9uxi0xqFd14lOqfQSLGtn zQKIsSic2SOU0VgyQSr1RpdioUIkyuTOKI/bQl2uNJAV/59SF15C36evIo6qjC37Xjcb 0/RAMneggL/n9L3qo61hrO4uW5Qv+dyb/j1NO78fnKIZzT3fGhLCutuIXHmh0+W2iZi9 69kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0hX0rIirTjYdQfhvbshWvQ92rCabDQ88JfFE8tBKkws=; b=jL0nmCUau5Ytr696SrAtrD6l1gzcztyQORN3auq4BwuvUdJTc7YdW/+wc+N6FZVAhX mtX8HiZDRYJoUk41k9zcysLGm8xhiTsv/n3y1XtWnyBkOELz1wN8ZSB1jEI6Nc9QQvGm RjRgj1+IBDk8wJbFLUGc0Eq0ieN9zNBCsO51/gvruXZXuEdLBKlRw7F19jkkrw0SRRbi 3TeLKlUZn0JM6qRCRkKwJyYhgIMHUCb8hsQVWu7aupu7a2Fp7+pyNoW5GY+yZTmr+Z6C HFf9rAXa9T53H9uIx1Jg45ieqrbk9UpPmK1XKBwhAyYr/gVc1SYBTtkVVfuHAkU1jwOZ M0Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="BP/IIXT9"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9si7986308otk.318.2020.03.03.10.08.10; Tue, 03 Mar 2020 10:08:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="BP/IIXT9"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732643AbgCCRzH (ORCPT + 99 others); Tue, 3 Mar 2020 12:55:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:36454 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732635AbgCCRzE (ORCPT ); Tue, 3 Mar 2020 12:55:04 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4213E2187F; Tue, 3 Mar 2020 17:55:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583258103; bh=lLXV8zXFcoeh5vspB0Dmm2DndBeHVgQLc1e/L5frTEo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BP/IIXT97muL511Wn56eorVM/TzgL4mgQ8iqB/OK2durdsJlex/KcMY5WbABF5QTp 4c4MIpXPaVviHZ/WOBlyp2pEua/PCh55XLOPm1/txo9PTRb+g/jRMvx7XIGTlUeh7h vdnf6WLNNP+exEOfPcxZE+BJiDnCq/Ypo9/IhEZo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com, syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com, Paul Moore Subject: [PATCH 5.4 072/152] audit: always check the netlink payload length in audit_receive_msg() Date: Tue, 3 Mar 2020 18:42:50 +0100 Message-Id: <20200303174310.652084222@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200303174302.523080016@linuxfoundation.org> References: <20200303174302.523080016@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Moore commit 756125289285f6e55a03861bf4b6257aa3d19a93 upstream. This patch ensures that we always check the netlink payload length in audit_receive_msg() before we take any action on the payload itself. Cc: stable@vger.kernel.org Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- kernel/audit.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1100,13 +1100,11 @@ static void audit_log_feature_change(int audit_log_end(ab); } -static int audit_set_feature(struct sk_buff *skb) +static int audit_set_feature(struct audit_features *uaf) { - struct audit_features *uaf; int i; BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); - uaf = nlmsg_data(nlmsg_hdr(skb)); /* if there is ever a version 2 we should handle that here */ @@ -1174,6 +1172,7 @@ static int audit_receive_msg(struct sk_b { u32 seq; void *data; + int data_len; int err; struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; @@ -1187,6 +1186,7 @@ static int audit_receive_msg(struct sk_b seq = nlh->nlmsg_seq; data = nlmsg_data(nlh); + data_len = nlmsg_len(nlh); switch (msg_type) { case AUDIT_GET: { @@ -1210,7 +1210,7 @@ static int audit_receive_msg(struct sk_b struct audit_status s; memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); if (s.mask & AUDIT_STATUS_ENABLED) { err = audit_set_enabled(s.enabled); if (err < 0) @@ -1314,7 +1314,9 @@ static int audit_receive_msg(struct sk_b return err; break; case AUDIT_SET_FEATURE: - err = audit_set_feature(skb); + if (data_len < sizeof(struct audit_features)) + return -EINVAL; + err = audit_set_feature(data); if (err) return err; break; @@ -1326,6 +1328,8 @@ static int audit_receive_msg(struct sk_b err = audit_filter(msg_type, AUDIT_FILTER_USER); if (err == 1) { /* match or error */ + char *str = data; + err = 0; if (msg_type == AUDIT_USER_TTY) { err = tty_audit_push(); @@ -1333,26 +1337,24 @@ static int audit_receive_msg(struct sk_b break; } audit_log_user_recv_msg(&ab, msg_type); - if (msg_type != AUDIT_USER_TTY) + if (msg_type != AUDIT_USER_TTY) { + /* ensure NULL termination */ + str[data_len - 1] = '\0'; audit_log_format(ab, " msg='%.*s'", AUDIT_MESSAGE_TEXT_MAX, - (char *)data); - else { - int size; - + str); + } else { audit_log_format(ab, " data="); - size = nlmsg_len(nlh); - if (size > 0 && - ((unsigned char *)data)[size - 1] == '\0') - size--; - audit_log_n_untrustedstring(ab, data, size); + if (data_len > 0 && str[data_len - 1] == '\0') + data_len--; + audit_log_n_untrustedstring(ab, str, data_len); } audit_log_end(ab); } break; case AUDIT_ADD_RULE: case AUDIT_DEL_RULE: - if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) + if (data_len < sizeof(struct audit_rule_data)) return -EINVAL; if (audit_enabled == AUDIT_LOCKED) { audit_log_common_recv_msg(audit_context(), &ab, @@ -1364,7 +1366,7 @@ static int audit_receive_msg(struct sk_b audit_log_end(ab); return -EPERM; } - err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); + err = audit_rule_change(msg_type, seq, data, data_len); break; case AUDIT_LIST_RULES: err = audit_list_rules_send(skb, seq); @@ -1379,7 +1381,7 @@ static int audit_receive_msg(struct sk_b case AUDIT_MAKE_EQUIV: { void *bufp = data; u32 sizes[2]; - size_t msglen = nlmsg_len(nlh); + size_t msglen = data_len; char *old, *new; err = -EINVAL; @@ -1455,7 +1457,7 @@ static int audit_receive_msg(struct sk_b memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); /* check if new data is valid */ if ((s.enabled != 0 && s.enabled != 1) || (s.log_passwd != 0 && s.log_passwd != 1))