audit: check the length of userspace generated audit records

Commit 7561252 ("audit: always check the netlink payload length in audit_receive_msg()") fixed a number of missing message length checks, but forgot to check the length of userspace generated audit records. The good news is that you need CAP_AUDIT_WRITE to submit userspace audit records, which is generally only given to trusted processes, so the impact should be limited. Cc: [email protected] Fixes: 7561252 ("audit: always check the netlink payload length in audit_receive_msg()") Reported-by: [email protected] Signed-off-by: Paul Moore <[email protected]>
wafgo · Apr 20, 2020 · 763dafc · 763dafc
1 parent ae83d0b
commit 763dafc
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/kernel/audit.c b/kernel/audit.c
@@ -1326,6 +1326,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
 			return 0;
+		/* exit early if there isn't at least one character to print */
+		if (data_len < 2)
+			return -EINVAL;
 
 		err = audit_filter(msg_type, AUDIT_FILTER_USER);
 		if (err == 1) { /* match or error */