dump_common_audit_data(): fix racy accesses to ->d_name

commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. We are not guaranteed the locking environment that would prevent dentry getting renamed right under us. And it's possible for old long name to be freed after rename, leading to UAF here. Cc: stable@kernel.org # v2.6.2+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2021-01-05 14:43:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-23 15:48:43 +0100
commit: 2f121a8d64753b3a2d51a97e9c345668feff76f8 (patch)
tree: 0d1a3402b7f05e2221cf247d62b06e73786ccd92 /security
parent: 00b646138a9a0771c8806f1c61a8d5c58d53bade (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 3a8916aa73c4..30f4a9317453 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -277,7 +277,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		struct inode *inode;
 
 		audit_log_format(ab, " name=");
+		spin_lock(&a->u.dentry->d_lock);
 		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+		spin_unlock(&a->u.dentry->d_lock);
 
 		inode = d_backing_inode(a->u.dentry);
 		if (inode) {
@@ -295,8 +297,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		dentry = d_find_alias(inode);
 		if (dentry) {
 			audit_log_format(ab, " name=");
-			audit_log_untrustedstring(ab,
-					 dentry->d_name.name);
+			spin_lock(&dentry->d_lock);
+			audit_log_untrustedstring(ab, dentry->d_name.name);
+			spin_unlock(&dentry->d_lock);
 			dput(dentry);
 		}
 		audit_log_format(ab, " dev=");
author	Al Viro <viro@zeniv.linux.org.uk>	2021-01-05 14:43:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-23 15:48:43 +0100
commit	2f121a8d64753b3a2d51a97e9c345668feff76f8 (patch)
tree	0d1a3402b7f05e2221cf247d62b06e73786ccd92 /security
parent	00b646138a9a0771c8806f1c61a8d5c58d53bade (diff)