dump_common_audit_data(): fix racy accesses to ->d_name

We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us.  And it's possible for
old long name to be freed after rename, leading to UAF here.

Cc: stable@kernel.org # v2.6.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro 2021-01-05 14:43:46 -05:00
parent a959a9782f
commit d36a1dd9f7
1 changed files with 5 additions and 2 deletions

View File

@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
struct inode *inode; struct inode *inode;
audit_log_format(ab, " name="); audit_log_format(ab, " name=");
spin_lock(&a->u.dentry->d_lock);
audit_log_untrustedstring(ab, a->u.dentry->d_name.name); audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
spin_unlock(&a->u.dentry->d_lock);
inode = d_backing_inode(a->u.dentry); inode = d_backing_inode(a->u.dentry);
if (inode) { if (inode) {
@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
dentry = d_find_alias(inode); dentry = d_find_alias(inode);
if (dentry) { if (dentry) {
audit_log_format(ab, " name="); audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, spin_lock(&dentry->d_lock);
dentry->d_name.name); audit_log_untrustedstring(ab, dentry->d_name.name);
spin_unlock(&dentry->d_lock);
dput(dentry); dput(dentry);
} }
audit_log_format(ab, " dev="); audit_log_format(ab, " dev=");