diff options
author | Paul Moore <paul@paul-moore.com> | 2022-02-09 14:49:38 -0500 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2022-02-09 16:04:26 -0500 |
commit | 7a82f89de92aac5a244d3735b2bd162c1147620c (patch) | |
tree | 87ccbb01f4c5d75eac090a45840bfc64f39446ce | |
parent | f26d04331360d42dbd6b58448bd98e4edbfbe1c5 (diff) | |
download | lwn-7a82f89de92aac5a244d3735b2bd162c1147620c.tar.gz lwn-7a82f89de92aac5a244d3735b2bd162c1147620c.zip |
audit: don't deref the syscall args when checking the openat2 open_how::flags
As reported by Jeff, dereferencing the openat2 syscall argument in
audit_match_perm() to obtain the open_how::flags can result in an
oops/page-fault. This patch fixes this by using the open_how struct
that we store in the audit_context with audit_openat2_how().
Independent of this patch, Richard Guy Briggs posted a similar patch
to the audit mailing list roughly 40 minutes after this patch was
posted.
Cc: stable@vger.kernel.org
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | kernel/auditsc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fce5d43a933f..a83928cbdcb7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; case AUDITSC_OPENAT2: - return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); + return mask & ACC_MODE((u32)ctx->openat2.flags); default: return 0; } |