Re: [PATCH 1/2] audit: Fix use after free in audit_remove_watch_rule()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/15/2017 04:00 AM, Jan Kara wrote:
> audit_remove_watch_rule() drops watch's reference to parent but then
> continues to work with it. That is not safe as parent can get freed once
> we drop our reference. The following is a trivial reproducer:
> 
> mount -o loop image /mnt
> touch /mnt/file
> auditctl -w /mnt/file -p wax
> umount /mnt
> auditctl -D
> <crash in fsnotify_destroy_mark()>
> 
> Grab our own reference in audit_remove_watch_rule() earlier to make sure
> mark does not get freed under us.
> 
> CC: stable@xxxxxxxxxxxxxxx
> Reported-by: Tony Jones <tonyj@xxxxxxx>
> Signed-off-by: Jan Kara <jack@xxxxxxx>
> ---

Tested-by: Tony Jones <tonyj@xxxxxxx>

Fix tested and verified against v3.0 and mainline




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]