On 2/2/24 11:16, Al Viro wrote:
On Fri, Feb 02, 2024 at 04:05:09PM +0000, Al Viro wrote:
Use After Free. Really. And "untrusted" in the function name does not
refer to "it might be pointing to unmapped page" - it's just "don't
expect anything from the characters you might find there, including
the presence of NUL".
Argh... s/including/beyond the/ - sorry. Messed up rewriting the
sentence.
"Untrusted" refers to the lack of whitespaces, control characters, '"',
etc. What audit_log_untrustedstring(ab, string) expects is
* string pointing to readable memory object
* the object remaining unchanged through the call
* NUL existing somewhere in that object.
All of those assertions can be violated once the object string
used to point to has been passed to kmem_cache_free(). Which is what
can very well happen to filename pointer in this case.
I suppose this would provide a stable name?
diff --git a/security/integrity/ima/ima_api.c
b/security/integrity/ima/ima_api.c
index 597ea0c4d72f..48ae6911139b 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -244,7 +244,6 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
const char *audit_cause = "failed";
struct inode *inode = file_inode(file);
struct inode *real_inode = d_real_inode(file_dentry(file));
- const char *filename = file->f_path.dentry->d_name.name;
struct ima_max_digest_data hash;
struct kstat stat;
int result = 0;
@@ -313,11 +312,17 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
iint->flags |= IMA_COLLECTED;
out:
if (result) {
+ struct qstr *qstr = &file->f_path.dentry->d_name;
+ char buf[NAME_MAX + 1];
+
if (file->f_flags & O_DIRECT)
audit_cause = "failed(directio)";
+ memcpy(buf, qstr->name, qstr->len);
+ buf[qstr->len] = 0;
+
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
- filename, "collect_data", audit_cause,
+ buf, "collect_data", audit_cause,
result, 0);
}
return result;
Regards,
Stefan