raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 10:00:17 +00:00
Code Issues Projects Releases Wiki Activity

dump_common_audit_data(): fix racy accesses to ->d_name

Browse Source 
commit d36a1dd9f7 upstream.

We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us.  And it's possible for
old long name to be freed after rename, leading to UAF here.

Cc: stable@kernel.org # v2.6.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Al Viro
2021-01-05 14:43:46 -05:00
committed by Greg Kroah-Hartman
parent 09b3e0bc8e
commit a3fddad7af
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
security/lsm_audit.c
View File

@@ -278,7 +278,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
struct inode *inode; struct inode *inode;
audit_log_format(ab, " name="); audit_log_format(ab, " name=");
spin_lock(&a->u.dentry->d_lock);
audit_log_untrustedstring(ab, a->u.dentry->d_name.name); audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
spin_unlock(&a->u.dentry->d_lock);
inode = d_backing_inode(a->u.dentry); inode = d_backing_inode(a->u.dentry);
if (inode) { if (inode) {
@@ -297,8 +299,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
dentry = d_find_alias(inode); dentry = d_find_alias(inode);
if (dentry) { if (dentry) {
audit_log_format(ab, " name="); audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, spin_lock(&dentry->d_lock);
dentry->d_name.name); audit_log_untrustedstring(ab, dentry->d_name.name);
spin_unlock(&dentry->d_lock);
dput(dentry); dput(dentry);
} }
audit_log_format(ab, " dev="); audit_log_format(ab, " dev=");