Commit 763dafc5 authored by Paul Moore's avatar Paul Moore
Browse files

audit: check the length of userspace generated audit records 



Commit 75612528 ("audit: always check the netlink payload length
in audit_receive_msg()") fixed a number of missing message length
checks, but forgot to check the length of userspace generated audit
records.  The good news is that you need CAP_AUDIT_WRITE to submit
userspace audit records, which is generally only given to trusted
processes, so the impact should be limited.

Cc: stable@vger.kernel.org
Fixes: 75612528 ("audit: always check the netlink payload length in audit_receive_msg()")
Reported-by: default avatar <syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent ae83d0b4

kernel/audit.c

+3 −0
Original line number Diff line number Diff line
@@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:

		if (!audit_enabled && msg_type != AUDIT_USER_AVC)

			return 0;

		/* exit early if there isn't at least one character to print */

		if (data_len < 2)

			return -EINVAL;



		err = audit_filter(msg_type, AUDIT_FILTER_USER);

		if (err == 1) { /* match or error */

CRA Git | Maintained and supported by SUSTech CRA and CCSE