Re: [PATCH 2/2] fs: remove the inode argument to ->d_real() method

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Feb 02, 2024 at 04:05:09PM +0000, Al Viro wrote:

> Use After Free.  Really.  And "untrusted" in the function name does not
> refer to "it might be pointing to unmapped page" - it's just "don't
> expect anything from the characters you might find there, including
> the presence of NUL".

Argh...  s/including/beyond the/ - sorry.  Messed up rewriting the

"Untrusted" refers to the lack of whitespaces, control characters, '"',
etc.  What audit_log_untrustedstring(ab, string) expects is
	* string pointing to readable memory object
	* the object remaining unchanged through the call
	* NUL existing somewhere in that object.

All of those assertions can be violated once the object string
used to point to has been passed to kmem_cache_free().  Which is what
can very well happen to filename pointer in this case.

[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux