On Mon, 2016-05-30 at 17:50 +0100, Al Viro wrote: > Only tangentially related, but... that bug had been discussed, > without any results: the fallback in ima_d_path() to ->d_name.name is > completely broken. There is no warranty whatsoever that dentry won't be > renamed, with its earlier (too long to be embedded into dentry itself) > ->d_name.name getting freed. Right under your code. Isn't i_mutex required? > > Could we please get rid of that thing? "A message in a near-oom > situation might be less informative than we'd like" is better than > "this code might end up dereferencing freed memory". > > Another similar bug is in ima_collect_measurement() - > const char *filename = file->f_path.dentry->d_name.name; > ... > integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, > filename, "collect_data", audit_cause, > with no warranty whatsoever that you are not passing a pointer to freed > memory. The same goes for ima_eventname_init_common() - > if (event_data->file) { > cur_filename = event_data->file->f_path.dentry->d_name.name; > cur_filename_len = strlen(cur_filename); > } else > ... > return ima_write_template_field_data(cur_filename, cur_filename_len, > DATA_FMT_STRING, field_data); > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html