dump_common_audit_data(): fix racy accesses to ->d_name

We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2021-01-16 15:11:35 -0500
commit: d36a1dd9f77ae1e72da48f4123ed35627848507d (patch)
tree: 7252b0d4174a46d062a76fea648fdde2fd992f9a
parent: a959a9782fa87669feeed095ced5d78181a7c02d (diff)
download: linux-d36a1dd9f77ae1e72da48f4123ed35627848507d.tar.bz2
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 7d8026f3f377..a0cd28cd31a8 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2021-01-16 15:11:35 -0500
commit	d36a1dd9f77ae1e72da48f4123ed35627848507d (patch)
tree	7252b0d4174a46d062a76fea648fdde2fd992f9a
parent	a959a9782fa87669feeed095ced5d78181a7c02d (diff)
download	linux-d36a1dd9f77ae1e72da48f4123ed35627848507d.tar.bz2