dump_common_audit_data(): fix racy accesses to ->d_name

commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-19 18:26:16 +0100
commit: 08eb8a735c113ff945a6f08c569b99dae3543a92 (patch)
tree: 8897ba435d006de43d7c21f4aae16b52d93b26d1 /security
parent: d443cefd9f733b037f3b82424823ba993a87062c (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index e40874373f2b..d025f575a9e3 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -274,7 +274,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -292,8 +294,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-19 18:26:16 +0100
commit	08eb8a735c113ff945a6f08c569b99dae3543a92 (patch)
tree	8897ba435d006de43d7c21f4aae16b52d93b26d1 /security
parent	d443cefd9f733b037f3b82424823ba993a87062c (diff)