summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2021-01-05 14:43:46 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-01-19 18:26:16 +0100
commit08eb8a735c113ff945a6f08c569b99dae3543a92 (patch)
tree8897ba435d006de43d7c21f4aae16b52d93b26d1 /security
parentd443cefd9f733b037f3b82424823ba993a87062c (diff)
dump_common_audit_data(): fix racy accesses to ->d_name
commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/lsm_audit.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index e40874373f2b..d025f575a9e3 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -274,7 +274,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
struct inode *inode;
audit_log_format(ab, " name=");
+ spin_lock(&a->u.dentry->d_lock);
audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+ spin_unlock(&a->u.dentry->d_lock);
inode = d_backing_inode(a->u.dentry);
if (inode) {
@@ -292,8 +294,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
dentry = d_find_alias(inode);
if (dentry) {
audit_log_format(ab, " name=");
- audit_log_untrustedstring(ab,
- dentry->d_name.name);
+ spin_lock(&dentry->d_lock);
+ audit_log_untrustedstring(ab, dentry->d_name.name);
+ spin_unlock(&dentry->d_lock);
dput(dentry);
}
audit_log_format(ab, " dev=");