The user pointer was being illegally dereferenced directly to get the open_how flags data in audit_match_perm. Use the previously saved flags data elsewhere in the context instead. Coverage is provided by the audit-testsuite syscalls_file test case. Cc: stable@xxxxxxxxxxxxxxx Link: https://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71946@xxxxxxxx Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall") Reported-by: Jeff Mahoney <jeffm@xxxxxxxx> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fce5d43a933f..81ab510a7be4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; case AUDITSC_OPENAT2: - return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); + return mask & ACC_MODE((u32)(ctx->openat2.flags)); default: return 0; } -- 2.27.0
