dump_common_audit_data(): fix racy accesses to ->d_name
We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
a959a9782f
commit
d36a1dd9f7
|
@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
||||||
struct inode *inode;
|
struct inode *inode;
|
||||||
|
|
||||||
audit_log_format(ab, " name=");
|
audit_log_format(ab, " name=");
|
||||||
|
spin_lock(&a->u.dentry->d_lock);
|
||||||
audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
|
audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
|
||||||
|
spin_unlock(&a->u.dentry->d_lock);
|
||||||
|
|
||||||
inode = d_backing_inode(a->u.dentry);
|
inode = d_backing_inode(a->u.dentry);
|
||||||
if (inode) {
|
if (inode) {
|
||||||
|
@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
||||||
dentry = d_find_alias(inode);
|
dentry = d_find_alias(inode);
|
||||||
if (dentry) {
|
if (dentry) {
|
||||||
audit_log_format(ab, " name=");
|
audit_log_format(ab, " name=");
|
||||||
audit_log_untrustedstring(ab,
|
spin_lock(&dentry->d_lock);
|
||||||
dentry->d_name.name);
|
audit_log_untrustedstring(ab, dentry->d_name.name);
|
||||||
|
spin_unlock(&dentry->d_lock);
|
||||||
dput(dentry);
|
dput(dentry);
|
||||||
}
|
}
|
||||||
audit_log_format(ab, " dev=");
|
audit_log_format(ab, " dev=");
|
||||||
|
|
Loading…
Reference in New Issue