[PATCH v1] audit: fix illegal pointer dereference for openat2

From: Richard Guy Briggs
Date: Wed Feb 09 2022 - 16:51:21 EST

Next message: Dave Hansen: "Re: [PATCH 17/35] mm: Fixup places that call pte_mkwrite() directly"
Previous message: kernel test robot: "[luxis1999-iommufd:iommufd-v5.17-rc1 22/28] microblaze-linux-ld: undefined reference to `interval_tree_iter_next'"
Next in thread: Paul Moore: "Re: [PATCH v1] audit: fix illegal pointer dereference for openat2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The user pointer was being illegally dereferenced directly to get the
open_how flags data in audit_match_perm. Use the previously saved flags
data elsewhere in the context instead.

Coverage is provided by the audit-testsuite syscalls_file test case.

Cc: stable@xxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71946@xxxxxxxx
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney <jeffm@xxxxxxxx>
Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fce5d43a933f..81ab510a7be4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
case AUDITSC_EXECVE:
return mask & AUDIT_PERM_EXEC;
case AUDITSC_OPENAT2:
- return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
+ return mask & ACC_MODE((u32)(ctx->openat2.flags));
default:
return 0;
}
--
2.27.0

Next message: Dave Hansen: "Re: [PATCH 17/35] mm: Fixup places that call pte_mkwrite() directly"
Previous message: kernel test robot: "[luxis1999-iommufd:iommufd-v5.17-rc1 22/28] microblaze-linux-ld: undefined reference to `interval_tree_iter_next'"
Next in thread: Paul Moore: "Re: [PATCH v1] audit: fix illegal pointer dereference for openat2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]