lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Aug 2022 10:34:15 -0400 From: Paul Moore <paul@...l-moore.com> To: Jan Kara <jack@...e.cz> Cc: Gaosheng Cui <cuigaosheng1@...wei.com>, eparis@...hat.com, mszeredi@...hat.com, amir73il@...il.com, linux-audit@...hat.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH next] audit: fix potential double free on error path from fsnotify_add_inode_mark On Mon, Aug 22, 2022 at 4:50 AM Jan Kara <jack@...e.cz> wrote: > On Mon 22-08-22 10:29:05, Gaosheng Cui wrote: > > Audit_alloc_mark() assign pathname to audit_mark->path, on error path > > from fsnotify_add_inode_mark(), fsnotify_put_mark will free memory > > of audit_mark->path, but the caller of audit_alloc_mark will free > > the pathname again, so there will be double free problem. > > > > Fix this by resetting audit_mark->path to NULL pointer on error path > > from fsnotify_add_inode_mark(). > > > > Fixes: 7b1293234084d ("fsnotify: Add group pointer in fsnotify_init_mark()") > > Signed-off-by: Gaosheng Cui <cuigaosheng1@...wei.com> > > Good spotting! The patch looks good to me. Feel free to add: > > Reviewed-by: Jan Kara <jack@...e.cz> > > > --- > > kernel/audit_fsnotify.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c > > index 6432a37ac1c9..c565fbf66ac8 100644 > > --- a/kernel/audit_fsnotify.c > > +++ b/kernel/audit_fsnotify.c > > @@ -102,6 +102,7 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa > > > > ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, 0); > > if (ret < 0) { > > + audit_mark->path = NULL; > > fsnotify_put_mark(&audit_mark->mark); As I'm tracing the code path from audit through fsnotify, and back into audit, I'm wondering if we still have a problem. When fsnotify_add_inode_mark() fails it will end up freeing not just audit_mark->path, but audit_mark itself via audit_fsnotify_mark_free() (via a call into fsnotify_put_mark()), yes? If that is the case, I think the better fix would simply be to just remove the fsnotify_put_mark() call and add a small comment in this error patch mentioning that fsnotify_put_mark() will release audit_mark on error. Thoughts? > > audit_mark = ERR_PTR(ret); > > } -- paul-moore.com
Powered by blists - more mailing lists