dump_common_audit_data(): fix racy accesses to ->d_name

We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us.  And it's possible for
old long name to be freed after rename, leading to UAF here.

Cc: stable@kernel.org # v2.6.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 7d8026f3f377256292b5b7bd133d865b37f4b5a3..a0cd28cd31a852c50ca7f2500f64d91f6b60f53b 100644 (file)
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                struct inode *inode;
 
                audit_log_format(ab, " name=");
+               spin_lock(&a->u.dentry->d_lock);
                audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
+               spin_unlock(&a->u.dentry->d_lock);
 
                inode = d_backing_inode(a->u.dentry);
                if (inode) {
@@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                dentry = d_find_alias(inode);
                if (dentry) {
                        audit_log_format(ab, " name=");
-                       audit_log_untrustedstring(ab,
-                                        dentry->d_name.name);
+                       spin_lock(&dentry->d_lock);
+                       audit_log_untrustedstring(ab, dentry->d_name.name);
+                       spin_unlock(&dentry->d_lock);
                        dput(dentry);
                }
                audit_log_format(ab, " dev=");