12593 NULL ptr deref in door_upcall via auditctl setpolicy

Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Approved by: Richard Lowe <richlowe@richlowe.net>

2 files changed, 15 insertions, 0 deletions

diff --git a/usr/src/uts/common/c2/audit_io.c b/usr/src/uts/common/c2/audit_io.c
index 8d109e483e..db2a4fcf45 100644
--- a/usr/src/uts/common/c2/audit_io.c
+++ b/usr/src/uts/common/c2/audit_io.c
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2020 The University of Queensland
  */
 
 /*
@@ -547,6 +548,15 @@ au_door_upcall(au_kcontext_t *kctx, au_dbuf_t *aubuf)
 
 		retry = 0;
 		mutex_enter(&(kctx->auk_svc_lock));
+		/*
+		 * Only holding auk_svc_lock prevents this from changing, so
+		 * we need to double-check that the vp isn't NULL before we
+		 * call door_upcall (which will blindly deref it).
+		 */
+		if (kctx->auk_current_vp == NULL) {
+			mutex_exit(&(kctx->auk_svc_lock));
+			return (-1);
+		}
 		rc = door_upcall(kctx->auk_current_vp, &darg, NULL,
 		    SIZE_MAX, 0);
 		if (rc != 0) {
diff --git a/usr/src/uts/common/syscall/auditsys.c b/usr/src/uts/common/syscall/auditsys.c
index d7cb94258f..8fa5428ea6 100644
--- a/usr/src/uts/common/syscall/auditsys.c
+++ b/usr/src/uts/common/syscall/auditsys.c
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2020 The University of Queensland
  */
 
 #include <sys/systm.h>
@@ -468,6 +469,10 @@ setpolicy(caddr_t data)
 	 * segv's, the audit state may be "auditing" but the door may
 	 * be closed.  Returning an error if the door is open makes it
 	 * impossible for Greenline to restart auditd.
+	 *
+	 * Note that auk_current_vp can change (e.g. to NULL) as long as we
+	 * aren't holding auk_svc_lock -- so au_door_upcall() will eventually
+	 * double-check this condition after it takes auk_svc_lock.
 	 */
 	if (kctx->auk_current_vp != NULL)
 		(void) au_doormsg(kctx, AU_DBUF_POLICY, &policy);