dump_common_audit_data(): fix racy accesses to ->d_name

commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-23 15:38:17 +0100
commit: e8fbf0682f0cbf889822237e57a77be9bfb7ee92 (patch)
tree: ba8c2be2983c37834b54fcdc1d91b07061c3aa1d /security
parent: c46c4af7a12ad509a0cb69ae70bcb8341c3eb98a (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 44a20c218409..cc4000dba600 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -277,7 +277,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -295,8 +297,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-23 15:38:17 +0100
commit	e8fbf0682f0cbf889822237e57a77be9bfb7ee92 (patch)
tree	ba8c2be2983c37834b54fcdc1d91b07061c3aa1d /security
parent	c46c4af7a12ad509a0cb69ae70bcb8341c3eb98a (diff)