From: Sasha Levin Date: Tue, 3 Mar 2020 21:02:39 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.19.108~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3aff8da7ec5592289b6f04ee238f4c52ffe02bf4;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/audit-always-check-the-netlink-payload-length-in-aud.patch b/queue-4.14/audit-always-check-the-netlink-payload-length-in-aud.patch new file mode 100644 index 00000000000..dd1dc5ee004 --- /dev/null +++ b/queue-4.14/audit-always-check-the-netlink-payload-length-in-aud.patch @@ -0,0 +1,152 @@ +From 29adf14afacd25bf64595b5564fc356bc2709823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2020 16:38:57 -0500 +Subject: audit: always check the netlink payload length in audit_receive_msg() + +From: Paul Moore + +[ Upstream commit 756125289285f6e55a03861bf4b6257aa3d19a93 ] + +This patch ensures that we always check the netlink payload length +in audit_receive_msg() before we take any action on the payload +itself. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com +Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 40 +++++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index d301276bca584..b21a8910f7652 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1067,13 +1067,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature + audit_log_end(ab); + } + +-static int audit_set_feature(struct sk_buff *skb) ++static int audit_set_feature(struct audit_features *uaf) + { +- struct audit_features *uaf; + int i; + + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); +- uaf = nlmsg_data(nlmsg_hdr(skb)); + + /* if there is ever a version 2 we should handle that here */ + +@@ -1141,6 +1139,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + { + u32 seq; + void *data; ++ int data_len; + int err; + struct audit_buffer *ab; + u16 msg_type = nlh->nlmsg_type; +@@ -1154,6 +1153,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + seq = nlh->nlmsg_seq; + data = nlmsg_data(nlh); ++ data_len = nlmsg_len(nlh); + + switch (msg_type) { + case AUDIT_GET: { +@@ -1177,7 +1177,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + struct audit_status s; + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + if (s.mask & AUDIT_STATUS_ENABLED) { + err = audit_set_enabled(s.enabled); + if (err < 0) +@@ -1281,7 +1281,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + return err; + break; + case AUDIT_SET_FEATURE: +- err = audit_set_feature(skb); ++ if (data_len < sizeof(struct audit_features)) ++ return -EINVAL; ++ err = audit_set_feature(data); + if (err) + return err; + break; +@@ -1293,6 +1295,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + err = audit_filter(msg_type, AUDIT_FILTER_USER); + if (err == 1) { /* match or error */ ++ char *str = data; ++ + err = 0; + if (msg_type == AUDIT_USER_TTY) { + err = tty_audit_push(); +@@ -1300,26 +1304,24 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + break; + } + audit_log_common_recv_msg(&ab, msg_type); +- if (msg_type != AUDIT_USER_TTY) ++ if (msg_type != AUDIT_USER_TTY) { ++ /* ensure NULL termination */ ++ str[data_len - 1] = '\0'; + audit_log_format(ab, " msg='%.*s'", + AUDIT_MESSAGE_TEXT_MAX, +- (char *)data); +- else { +- int size; +- ++ str); ++ } else { + audit_log_format(ab, " data="); +- size = nlmsg_len(nlh); +- if (size > 0 && +- ((unsigned char *)data)[size - 1] == '\0') +- size--; +- audit_log_n_untrustedstring(ab, data, size); ++ if (data_len > 0 && str[data_len - 1] == '\0') ++ data_len--; ++ audit_log_n_untrustedstring(ab, str, data_len); + } + audit_log_end(ab); + } + break; + case AUDIT_ADD_RULE: + case AUDIT_DEL_RULE: +- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) ++ if (data_len < sizeof(struct audit_rule_data)) + return -EINVAL; + if (audit_enabled == AUDIT_LOCKED) { + audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); +@@ -1327,7 +1329,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + audit_log_end(ab); + return -EPERM; + } +- err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); ++ err = audit_rule_change(msg_type, seq, data, data_len); + break; + case AUDIT_LIST_RULES: + err = audit_list_rules_send(skb, seq); +@@ -1341,7 +1343,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + case AUDIT_MAKE_EQUIV: { + void *bufp = data; + u32 sizes[2]; +- size_t msglen = nlmsg_len(nlh); ++ size_t msglen = data_len; + char *old, *new; + + err = -EINVAL; +@@ -1417,7 +1419,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + /* check if new data is valid */ + if ((s.enabled != 0 && s.enabled != 1) || + (s.log_passwd != 0 && s.log_passwd != 1)) +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index a233d474c94..29278d31917 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -63,3 +63,4 @@ kprobes-set-unoptimized-flag-after-unoptimizing-code.patch perf-hists-browser-restore-esc-as-zoom-out-of-dso-thread-etc.patch mm-huge_memory.c-use-head-to-check-huge-zero-page.patch mm-thp-fix-defrag-setting-if-newline-is-not-used.patch +audit-always-check-the-netlink-payload-length-in-aud.patch