From 1151c7a13412daa213b2fe12f27282230a8055b6 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 25 Jan 2021 07:16:06 +0000 Subject: [PATCH] dump_common_audit_data(): fix racy accesses to ->d_name stable inclusion from stable-5.10.9 commit a3fddad7af2cd1c60d1ea639a94e7d63c693cd23 bugzilla: 47457 -------------------------------- commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chen Jun Acked-by: Xie XiuQi --- security/lsm_audit.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 53d0d183db8f..08d5ef49f2e4 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -278,7 +278,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, struct inode *inode; audit_log_format(ab, " name="); + spin_lock(&a->u.dentry->d_lock); audit_log_untrustedstring(ab, a->u.dentry->d_name.name); + spin_unlock(&a->u.dentry->d_lock); inode = d_backing_inode(a->u.dentry); if (inode) { @@ -297,8 +299,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, dentry = d_find_alias(inode); if (dentry) { audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, - dentry->d_name.name); + spin_lock(&dentry->d_lock); + audit_log_untrustedstring(ab, dentry->d_name.name); + spin_unlock(&dentry->d_lock); dput(dentry); } audit_log_format(ab, " dev="); -- GitLab