audit: catch possible NULL audit buffers

It's possible for audit_log_start() to return NULL.  Handle it in the
various callers.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Julien Tinnes <jln@google.com>
Cc: Will Drewry <wad@google.com>
Cc: Steve Grubb <sgrubb@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3e46d1dec613..a371f857a0a9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1464,14 +1464,14 @@ static void show_special(struct audit_context *context, int *call_panic)
                         audit_log_end(ab);
                         ab = audit_log_start(context, GFP_KERNEL,
                                              AUDIT_IPC_SET_PERM);
+                        if (unlikely(!ab))
+                                return;
                         audit_log_format(ab,
                                 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
                                 context->ipc.qbytes,
                                 context->ipc.perm_uid,
                                 context->ipc.perm_gid,
                                 context->ipc.perm_mode);
-                        if (!ab)
-                                return;
                 }
                 break; }
         case AUDIT_MQ_OPEN: {
@@ -2720,6 +2720,8 @@ void audit_core_dumps(long signr)
                 return;
 
         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+        if (unlikely(!ab))
+                return;
         audit_log_abend(ab, "memory violation", signr);
         audit_log_end(ab);
 }