Stanislav Fort 9735a9dcc3 audit: fix out-of-bounds read in audit_compare_dname_path() ... commit 4540f1d23e upstream. When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path(). The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read. Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access. Cc: stable@vger.kernel.org Fixes: e92eebb0d6 ("audit: fix suffixed '/' filename matching") Reported-by: Stanislav Fort <disclosure@aisle.com> Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com> [PM: subject tweak, sign-off email fixes] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-09-09 19:02:34 +02:00
..
bpf	bpf: Make reg_not_null() true for CONST_PTR_TO_MAP	2025-08-20 18:41:20 +02:00
cgroup	cgroup/cpuset: Fix a partition error with CPU hotplug	2025-08-28 16:34:43 +02:00
configs	Kbuild updates for v6.16	2025-06-07 10:05:35 -07:00
debug
dma	dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted	2025-09-04 16:55:47 +02:00
entry
events	perf: Avoid undefined behavior from stopping/starting inactive events	2025-09-04 16:55:28 +02:00
futex	futex: Use user_write_access_begin/_end() in futex_put_value()	2025-08-20 18:41:35 +02:00
gcov
irq	genirq/irq_sim: Initialize work context pointers properly	2025-06-13 15:36:35 +02:00
kcsan	kcsan: test: Initialize dummy variable	2025-08-15 16:38:50 +02:00
livepatch
locking	Generic:	2025-06-02 12:24:58 -07:00
module	module: Prevent silent truncation of module name in delete_module(2)	2025-08-20 18:41:28 +02:00
power	PM: sleep: console: Fix the black screen issue	2025-08-20 18:41:00 +02:00
printk	printk: nbcon: Allow reacquire during panic	2025-08-20 18:41:30 +02:00
rcu	rcu: Fix racy re-initialization of irq_work causing hangs	2025-08-20 18:41:43 +02:00
sched	sched: Fix sched_numa_find_nth_cpu() if mask offline	2025-09-09 19:02:30 +02:00
time	timekeeping: Zero initialize system_counterval when querying time from phc drivers	2025-07-22 14:25:21 +02:00
trace	ftrace: Fix potential warning in trace_printk_seq during ftrace_dump	2025-09-04 16:55:29 +02:00
.gitignore	kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute	2025-08-20 18:41:31 +02:00
acct.c
async.c
audit_fsnotify.c
audit_tree.c	replace collect_mounts()/drop_collected_mounts() with a safer variant	2025-06-23 14:01:49 -04:00
audit_watch.c
audit.c
audit.h	audit,module: restore audit logging in load failure case	2025-08-15 16:38:20 +02:00
auditfilter.c	audit: fix out-of-bounds read in audit_compare_dname_path()	2025-09-09 19:02:34 +02:00
auditsc.c	audit,module: restore audit logging in load failure case	2025-08-15 16:38:20 +02:00
backtracetest.c
bounds.c
capability.c
cfi.c
compat.c
configs.c
context_tracking.c
cpu_pm.c
cpu.c
crash_core.c
crash_dump_dm_crypt.c	crash_dump: retrieve dm crypt keys in kdump kernel	2025-05-21 10:48:21 -07:00
crash_reserve.c
cred.c
delayacct.c	delayacct: remove redundant code and adjust indentation	2025-05-27 19:40:33 -07:00
dma.c
elfcorehdr.c
exec_domain.c
exit.c	- Avoid a crash on a heterogeneous machine where not all cores support the	2025-06-22 10:11:45 -07:00
exit.h
extable.c
fail_function.c
fork.c	- The 11 patch series "Add folio_mk_pte()" from Matthew Wilcox	2025-05-31 15:44:16 -07:00
freezer.c	sched,freezer: Remove unnecessary warning in __thaw_task	2025-07-17 07:56:50 -10:00
gen_kheaders.sh	kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute	2025-08-20 18:41:31 +02:00
groups.c
hung_task.c
iomem.c
irq_work.c
jump_label.c
kallsyms_internal.h
kallsyms_selftest.c
kallsyms_selftest.h
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.kexec	kho: mm: don't allow deferred struct page with KHO	2025-08-28 16:34:34 +02:00
Kconfig.locks
Kconfig.preempt
kcov.c
kexec_core.c	kexec_core: Fix error code path in the KEXEC_JUMP flow	2025-08-15 16:38:34 +02:00
kexec_elf.c
kexec_file.c	- The 3 patch series "hung_task: extend blocking task stacktrace dump to	2025-05-31 19:12:53 -07:00
kexec_handover.c	kho: warn if KHO is disabled due to an error	2025-08-28 16:34:35 +02:00
kexec_internal.h
kexec.c
kheaders.c
kprobes.c
ksyms_common.c
ksysfs.c
kthread.c	ipvs: Fix estimator kthreads preferred affinity	2025-08-20 18:40:52 +02:00
latencytop.c
Makefile	kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute	2025-08-20 18:41:31 +02:00
module_signature.c
notifier.c
nsproxy.c
padata.c	padata: Fix pd UAF once and for all	2025-08-15 16:38:58 +02:00
panic.c	- The 3 patch series "hung_task: extend blocking task stacktrace dump to	2025-05-31 19:12:53 -07:00
params.c
pid_namespace.c
pid_sysctl.h
pid.c
profile.c
ptrace.c
range.c
reboot.c
regset.c
relay.c
resource_kunit.c
resource.c	resource: fix false warning in __request_region()	2025-07-24 17:57:59 -07:00
rseq.c
scftorture.c
scs.c
seccomp.c
signal.c	signal: Fix memory leak for PIDFD_SELF* sentinels	2025-08-28 16:34:38 +02:00
smp.c
smpboot.c
smpboot.h
softirq.c
stackleak.c
stacktrace.c
static_call_inline.c
static_call.c
stop_machine.c	sched/core: Fix migrate_swap() vs. hotplug	2025-07-01 15:02:03 +02:00
sys_ni.c
sys.c
sysctl-test.c
sysctl.c
task_work.c
taskstats.c
torture.c
tracepoint.c
tsacct.c
ucount.c	ucount: fix atomic_long_inc_below() argument type	2025-08-15 16:39:17 +02:00
uid16.c
uid16.h
umh.c
up.c
user_namespace.c
user-return-notifier.c
user.c
usermode_driver.c
utsname_sysctl.c
utsname.c
vhost_task.c
vmcore_info.c
watch_queue.c
watchdog_buddy.c
watchdog_perf.c
watchdog.c	kernel/watchdog: add /sys/kernel/{hard,soft}lockup_count	2025-05-21 10:48:22 -07:00
workqueue_internal.h
workqueue.c	workqueue: Initialize wq_isolated_cpumask in workqueue_init_early()	2025-06-17 08:58:29 -10:00