audit: fix out-of-bounds read in audit_compare_dname_path()

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-13 11:07:46 +10:00

Browse Source

commit 4540f1d23e upstream.

When a watch on dir=/ is combined with an fsnotify event for a
single-character name directly under / (e.g., creating /a), an
out-of-bounds read can occur in audit_compare_dname_path().

The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
when parentlen equals the full path length (1), the code sets p = path + 1
and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.

Fix this by adding a pathlen > 0 check to the while loop condition
to prevent the out-of-bounds access.

Cc: stable@vger.kernel.org
Fixes: e92eebb0d6 ("audit: fix suffixed '/' filename matching")
Reported-by: Stanislav Fort <disclosure@aisle.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
[PM: subject tweak, sign-off email fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This commit is contained in:

Stanislav Fort

2025-09-02 14:00:49 +03:00

committed by

Greg Kroah-Hartman

parent 576b3139e6

commit 9735a9dcc3

1 changed files with 1 additions and 1 deletions

									
										2

kernel/auditfilter.c
									
										View File
										
				@ -1326,7 +1326,7 @@ int audit_compare_dname_path(const struct qstr *dname, const char *path, int par

					/* handle trailing slashes */

					pathlen -= parentlen;

					while (p[pathlen - 1] == '/')

					while (pathlen > 0 && p[pathlen - 1] == '/')

						pathlen--;

					if (pathlen != dlen)

audit: fix out-of-bounds read in audit_compare_dname_path()

2 kernel/auditfilter.c Unescape Escape View File

2

kernel/auditfilter.c

View File