diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2020-03-11 08:15:49 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2020-03-11 08:15:49 +0100 |
| commit | 2cb6859a7504bbed6640ab3fd5f56729ff1e4b41 (patch) | |
| tree | e29757585915fba3b28bdd4df7f08f9927f652cf /kernel/audit.c | |
| parent | 4db1ebdd40ec0b6ee8fb5744b20274a37aea267d (diff) | |
| parent | 6fd21f1d7907d9cfcd406bc64935aa00fa100b66 (diff) | |
Merge 4.4.216 into android-4.4-p
Changes in 4.4.216
iwlwifi: pcie: fix rb_allocator workqueue allocation
ext4: fix potential race between online resizing and write operations
ext4: fix potential race between s_flex_groups online resizing and access
ext4: fix potential race between s_group_info online resizing and access
ipmi:ssif: Handle a possible NULL pointer reference
mac80211: consider more elements in parsing CRC
cfg80211: check wiphy driver existence for drvinfo report
cifs: Fix mode output in debugging statements
cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
sysrq: Restore original console_loglevel when sysrq disabled
sysrq: Remove duplicated sysrq message
net: fib_rules: Correctly set table field when table number exceeds 8 bits
net: phy: restore mdio regs in the iproc mdio driver
ipv6: Fix nlmsg_flags when splitting a multipath route
ipv6: Fix route replacement with dev-only route
sctp: move the format error check out of __sctp_sf_do_9_1_abort
nfc: pn544: Fix occasional HW initialization failure
net: sched: correct flower port blocking
ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
audit: fix error handling in audit_data_to_entry()
HID: core: fix off-by-one memset in hid_report_raw_event()
HID: core: increase HID report buffer size to 8KiB
HID: hiddev: Fix race in in hiddev_disconnect()
MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
i2c: jz4780: silence log flood on txabrt
ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66
include/linux/bitops.h: introduce BITS_PER_TYPE
net: netlink: cap max groups which will be considered in netlink_bind()
namei: only return -ECHILD from follow_dotdot_rcu()
KVM: Check for a bad hva before dropping into the ghc slow path
slip: stop double free sl->dev in slip_open
mm: make page ref count overflow check tighter and more explicit
mm: add 'try_get_page()' helper function
mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
mm, gup: ensure real head page is ref-counted when using hugepages
mm: prevent get_user_pages() from overflowing page refcount
pipe: add pipe_buf_get() helper
fs: prevent page refcount overflow in pipe_buf_get
audit: always check the netlink payload length in audit_receive_msg()
serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
usb: gadget: serial: fix Tx stall after buffer overflow
drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
drm/msm/dsi: save pll state before dsi host is powered off
net: ks8851-ml: Remove 8-bit bus accessors
net: ks8851-ml: Fix 16-bit data access
net: ks8851-ml: Fix 16-bit IO operation
watchdog: da9062: do not ping the hw during stop()
s390/cio: cio_ignore_proc_seq_next should increase position index
cifs: don't leak -EAGAIN for stat() during reconnect
usb: storage: Add quirk for Samsung Fit flash
usb: quirks: add NO_LPM quirk for Logitech Screen Share
usb: core: hub: do error out if usb_autopm_get_interface() fails
usb: core: port: do error out if usb_autopm_get_interface() fails
vgacon: Fix a UAF in vgacon_invert_region
fat: fix uninit-memory access for partial initialized inode
vt: selection, close sel_buffer race
vt: selection, push console lock down
vt: selection, push sel_lock up
dmaengine: tegra-apb: Fix use-after-free
dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
RDMA/iwcm: Fix iwcm work deallocation
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
ARM: imx: build v7_cpu_resume() unconditionally
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
dm cache: fix a crash due to incorrect work item cancelling
crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
Linux 4.4.216
Change-Id: I9b747fb2a39b1137ee4ec9c5bb2c1aac2419e97b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index d440c25cb3be..128da86f1431 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -753,13 +753,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature audit_log_end(ab); } -static int audit_set_feature(struct sk_buff *skb) +static int audit_set_feature(struct audit_features *uaf) { - struct audit_features *uaf; int i; BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); - uaf = nlmsg_data(nlmsg_hdr(skb)); /* if there is ever a version 2 we should handle that here */ @@ -815,6 +813,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { u32 seq; void *data; + int data_len; int err; struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; @@ -838,6 +837,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } seq = nlh->nlmsg_seq; data = nlmsg_data(nlh); + data_len = nlmsg_len(nlh); switch (msg_type) { case AUDIT_GET: { @@ -859,7 +859,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_status s; memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); if (s.mask & AUDIT_STATUS_ENABLED) { err = audit_set_enabled(s.enabled); if (err < 0) @@ -914,7 +914,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) return err; break; case AUDIT_SET_FEATURE: - err = audit_set_feature(skb); + if (data_len < sizeof(struct audit_features)) + return -EINVAL; + err = audit_set_feature(data); if (err) return err; break; @@ -926,6 +928,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) err = audit_filter_user(msg_type); if (err == 1) { /* match or error */ + char *str = data; + err = 0; if (msg_type == AUDIT_USER_TTY) { err = tty_audit_push_current(); @@ -934,19 +938,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } mutex_unlock(&audit_cmd_mutex); audit_log_common_recv_msg(&ab, msg_type); - if (msg_type != AUDIT_USER_TTY) + if (msg_type != AUDIT_USER_TTY) { + /* ensure NULL termination */ + str[data_len - 1] = '\0'; audit_log_format(ab, " msg='%.*s'", AUDIT_MESSAGE_TEXT_MAX, - (char *)data); - else { - int size; - + str); + } else { audit_log_format(ab, " data="); - size = nlmsg_len(nlh); - if (size > 0 && - ((unsigned char *)data)[size - 1] == '\0') - size--; - audit_log_n_untrustedstring(ab, data, size); + if (data_len > 0 && str[data_len - 1] == '\0') + data_len--; + audit_log_n_untrustedstring(ab, str, data_len); } audit_set_portid(ab, NETLINK_CB(skb).portid); audit_log_end(ab); @@ -955,7 +957,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) break; case AUDIT_ADD_RULE: case AUDIT_DEL_RULE: - if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) + if (data_len < sizeof(struct audit_rule_data)) return -EINVAL; if (audit_enabled == AUDIT_LOCKED) { audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); @@ -964,7 +966,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) return -EPERM; } err = audit_rule_change(msg_type, NETLINK_CB(skb).portid, - seq, data, nlmsg_len(nlh)); + seq, data, data_len); break; case AUDIT_LIST_RULES: err = audit_list_rules_send(skb, seq); @@ -978,7 +980,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_MAKE_EQUIV: { void *bufp = data; u32 sizes[2]; - size_t msglen = nlmsg_len(nlh); + size_t msglen = data_len; char *old, *new; err = -EINVAL; @@ -1055,7 +1057,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); /* check if new data is valid */ if ((s.enabled != 0 && s.enabled != 1) || (s.log_passwd != 0 && s.log_passwd != 1)) |