dump_common_audit_data(): fix racy accesses to ->d_name

commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-19 18:22:37 +0100
commit: fda4bb55c45bd9fdf490c39c3e567f0cea931e54 (patch)
tree: c561858756f0791f8c90954d3127b54c95b02778 /security
parent: de581e41716795ce93506f3e5b0200048aa4439c (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 33028c098ef3..d6fea68d22ad 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -277,7 +277,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -295,8 +297,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-19 18:22:37 +0100
commit	fda4bb55c45bd9fdf490c39c3e567f0cea931e54 (patch)
tree	c561858756f0791f8c90954d3127b54c95b02778 /security
parent	de581e41716795ce93506f3e5b0200048aa4439c (diff)