Commit d36a1dd9 authored by Al Viro's avatar Al Viro
Browse files

dump_common_audit_data(): fix racy accesses to ->d_name 



We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us.  And it's possible for
old long name to be freed after rename, leading to UAF here.

Cc: stable@kernel.org # v2.6.2+
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent a959a978

security/lsm_audit.c

+5 −2
Original line number Diff line number Diff line
@@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, 
		struct inode *inode;



		audit_log_format(ab, " name=");

		spin_lock(&a->u.dentry->d_lock);

		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);

		spin_unlock(&a->u.dentry->d_lock);



		inode = d_backing_inode(a->u.dentry);

		if (inode) {
@@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, 
		dentry = d_find_alias(inode);

		if (dentry) {

			audit_log_format(ab, " name=");

			audit_log_untrustedstring(ab,

					 dentry->d_name.name);

			spin_lock(&dentry->d_lock);

			audit_log_untrustedstring(ab, dentry->d_name.name);

			spin_unlock(&dentry->d_lock);

			dput(dentry);

		}

		audit_log_format(ab, " dev=");