diff options
| author | Ricardo Robaina <rrobaina@redhat.com> | 2026-07-02 11:04:11 -0300 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2026-07-08 14:22:14 -0400 |
| commit | 65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0 (patch) | |
| tree | 05e6547ef53c00bab8270a177bf7129fe85c8f02 | |
| parent | c9a71daaecb2fb1d8c704545cc0b1c920b9bf5d7 (diff) | |
audit: fix potential integer overflow in audit_log_n_hex()
The function calculates new_len as len << 1 for hex encoding. This
has two overflow risks: the shift itself can overflow when len is
large, and the result can be truncated when assigned to new_len
(declared as int) from the size_t calculation.
Fix by using check_shl_overflow() to catch shift overflow and
changing new_len and loop counter i to size_t to prevent truncation.
Cc: stable@vger.kernel.org
Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
[PM: remove vertical whitspace noise]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | kernel/audit.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index feaa4e2271d7..562476937fa7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -62,6 +62,7 @@ #include <net/ip.h> #include <net/ipv6.h> #include <linux/sctp.h> +#include <linux/overflow.h> #include "audit.h" @@ -2080,7 +2081,8 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) { - int i, avail, new_len; + int avail; + size_t i, new_len; unsigned char *ptr; struct sk_buff *skb; @@ -2090,7 +2092,12 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, BUG_ON(!ab->skb); skb = ab->skb; avail = skb_tailroom(skb); - new_len = len<<1; + + if (check_shl_overflow(len, 1, &new_len)) { + audit_log_format(ab, "?"); + return; + } + if (new_len >= avail) { /* Round the buffer request up to the next multiple */ new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1); |
