[PATCH 1/2] audit: Fix use after free in audit_remove_watch_rule()
Tony Jones
tonyj at suse.de
Tue Aug 15 18:43:29 UTC 2017
On 08/15/2017 04:00 AM, Jan Kara wrote:
> audit_remove_watch_rule() drops watch's reference to parent but then
> continues to work with it. That is not safe as parent can get freed once
> we drop our reference. The following is a trivial reproducer:
>
> mount -o loop image /mnt
> touch /mnt/file
> auditctl -w /mnt/file -p wax
> umount /mnt
> auditctl -D
> <crash in fsnotify_destroy_mark()>
>
> Grab our own reference in audit_remove_watch_rule() earlier to make sure
> mark does not get freed under us.
>
> CC: stable at vger.kernel.org
> Reported-by: Tony Jones <tonyj at suse.de>
> Signed-off-by: Jan Kara <jack at suse.cz>
> ---
Tested-by: Tony Jones <tonyj at suse.de>
Fix tested and verified against v3.0 and mainline
More information about the Linux-audit
mailing list