On Jul  2, 2026 Ricardo Robaina <[email protected]> wrote:
> 
> The function calculates new_len as len << 1 for hex encoding. This
> has two overflow risks: the shift itself can overflow when len is
> large, and the result can be truncated when assigned to new_len
> (declared as int) from the size_t calculation.
> 
> Fix by using check_shl_overflow() to catch shift overflow and
> changing new_len and loop counter i to size_t to prevent truncation.
> 
> Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
> Reviewed-by: Richard Guy Briggs <[email protected]>
> Signed-off-by: Ricardo Robaina <[email protected]>
> ---
> Changes in v2:
> - Use check_shl_overflow() instead of manual overflow check.
> Changes in v3:
> - Log "?" before returning when overflow detected.
> 
>  kernel/audit.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index e1d489bc2dff..52eb3b511bad 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,6 +62,7 @@
>  #include <net/ip.h>
>  #include <net/ipv6.h>
>  #include <linux/sctp.h>
> +#include <linux/overflow.h>
>  
>  #include "audit.h"
>  
> @@ -2076,7 +2077,8 @@ void audit_log_format(struct audit_buffer *ab, const 
> char *fmt, ...)
>  void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
>               size_t len)
>  {
> -     int i, avail, new_len;
> +     int avail;
> +     size_t i, new_len;
>       unsigned char *ptr;
>       struct sk_buff *skb;
>  
> @@ -2084,9 +2086,15 @@ void audit_log_n_hex(struct audit_buffer *ab, const 
> unsigned char *buf,
>               return;
>  
>       BUG_ON(!ab->skb);
> +

I removed this added vertical whitespace as it wasn't really necessary
and could potentially impact anyone who wants to backport this patch.
Otherwise this looks good to me, so I'm going to mark it for stable and
merge it via audit/stable-7.2.

Thanks!

>       skb = ab->skb;
>       avail = skb_tailroom(skb);
> -     new_len = len<<1;
> +
> +     if (check_shl_overflow(len, 1, &new_len)) {
> +             audit_log_format(ab, "?");
> +             return;
> +     }
> +
>       if (new_len >= avail) {
>               /* Round the buffer request up to the next multiple */
>               new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
> -- 
> 2.53.0

--
paul-moore.com

Reply via email to