On Fri, Feb 02, 2024 at 04:05:09PM +0000, Al Viro wrote: > Use After Free. Really. And "untrusted" in the function name does not > refer to "it might be pointing to unmapped page" - it's just "don't > expect anything from the characters you might find there, including > the presence of NUL". Argh... s/including/beyond the/ - sorry. Messed up rewriting the sentence. "Untrusted" refers to the lack of whitespaces, control characters, '"', etc. What audit_log_untrustedstring(ab, string) expects is * string pointing to readable memory object * the object remaining unchanged through the call * NUL existing somewhere in that object. All of those assertions can be violated once the object string used to point to has been passed to kmem_cache_free(). Which is what can very well happen to filename pointer in this case.
