Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2017-11-24 23:19:38 +0100
committerJiri Kosina <jkosina@suse.cz>2017-11-24 23:19:38 +0100
commit010f77e2bd37fc94b0a62aad29fd238cec18e16d (patch)
tree01b05d8bd1e740fd0c702f0d855f93a952a07890
parentefe92752ee45d54e3ee37522af90a69368c53ed4 (diff)
parentf3c2bddaaead90dfb0f2bd431055da49576535a4 (diff)
Merge remote-tracking branch 'origin/users/tonyj/SLE11-SP4/bsc1045205' into SLE11-SP4rpm-3.0.101-108.18
-rw-r--r--patches.fixes/audit-fix-use-after-free-in-audit_remove_watch_rule.patch51
-rw-r--r--series.conf1
2 files changed, 52 insertions, 0 deletions
diff --git a/patches.fixes/audit-fix-use-after-free-in-audit_remove_watch_rule.patch b/patches.fixes/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
new file mode 100644
index 0000000000..de89a0b03d
--- /dev/null
+++ b/patches.fixes/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
@@ -0,0 +1,51 @@
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 15 Aug 2017 11:39:12 +0200
+Subject: [PATCH] audit: Fix use after free in audit_remove_watch_rule()
+References: bsc#1045205
+Patch-mainline: not yet, pending submission
+Signed-off-by: Tony Jones <tonyj@suse.de>
+
+audit_remove_watch_rule() drops watch's reference to parent but then
+continues to work with it. That is not safe as parent can get freed once
+we drop our reference. The following is a trivial reproducer:
+
+mount -o loop image /mnt
+touch /mnt/file
+auditctl -w /mnt/file -p wax
+umount /mnt
+auditctl -D
+<crash in fsnotify_destroy_mark()>
+
+Grab our own reference in audit_remove_watch_rule() earlier to make sure
+mark does not get freed under us.
+
+CC: stable@vger.kernel.org
+Reported-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ kernel/audit_watch.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -471,13 +471,15 @@ void audit_remove_watch_rule(struct audi
+ list_del(&krule->rlist);
+
+ if (list_empty(&watch->rules)) {
++ /*
++ * audit_remove_watch() drops our reference to 'parent' which
++ * can get freed. Grab our own reference to be safe.
++ */
++ audit_get_parent(parent);
+ audit_remove_watch(watch);
+-
+- if (list_empty(&parent->watches)) {
+- audit_get_parent(parent);
++ if (list_empty(&parent->watches))
+ fsnotify_destroy_mark(&parent->mark);
+- audit_put_parent(parent);
+- }
++ audit_put_parent(parent);
+ }
+ }
+
diff --git a/series.conf b/series.conf
index 61df63e276..a899e6ae37 100644
--- a/series.conf
+++ b/series.conf
@@ -22221,6 +22221,7 @@
patches.fixes/audit-efficiency-fix-1-only-wake-up-if-queue-shorter-than-backlog-limit.patch
patches.fixes/audit-efficiency-fix-2-request-exclusive-wait-since-all-need-same-resource.patch
patches.fixes/audit-keep-inode-pinned.patch
+ patches.fixes/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
########################################################