dump_common_audit_data(): fix racy accesses to ->d_name

commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-23 15:36:55 +0100
commit: b1de083b11f86b2e77ca8d28580730c7974c059b (patch)
tree: 9d0dec3525136d7bb0d2bb7ee25abf4c39c9f0d0 /security
parent: 0cd7ca78a35976956292daf32bf7831e6c18753d (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 331fd3bd0f39..d4f9e2b69caa 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -264,7 +264,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -282,8 +284,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-23 15:36:55 +0100
commit	b1de083b11f86b2e77ca8d28580730c7974c059b (patch)
tree	9d0dec3525136d7bb0d2bb7ee25abf4c39c9f0d0 /security
parent	0cd7ca78a35976956292daf32bf7831e6c18753d (diff)