shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 03:03:00 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
a8a7efcebb12e9f2c661baac55590320edc9435e
linux/kernel
History
Ronny Chevalier 0cae255158 audit: fix use-after-free in audit_add_watch 
[ Upstream commit baa2a4fdd5 ]

audit_add_watch stores locally krule->watch without taking a reference
on watch. Then, it calls audit_add_to_parent, and uses the watch stored
locally.

Unfortunately, it is possible that audit_add_to_parent updates
krule->watch.
When it happens, it also drops a reference of watch which
could free the watch.

How to reproduce (with KASAN enabled):

    auditctl -w /etc/passwd -F success=0 -k test_passwd
    auditctl -w /etc/passwd -F success=1 -k test_passwd2

The second call to auditctl triggers the use-after-free, because
audit_to_parent updates krule->watch to use a previous existing watch
and drops the reference to the newly created watch.

To fix the issue, we grab a reference of watch and we release it at the
end of the function.

Signed-off-by: Ronny Chevalier <ronny.chevalier@hp.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-05-15 08:20:49 +09:00
..
bpf
bpf: fix references to free_bpf_prog_info() in comments
2023-05-12 16:43:17 +09:00
configs
ANDROID: add script to fetch android kernel config fragments
2017-10-03 17:19:26 +00:00
debug
Merge 4.9.104 into android-4.9
2018-05-30 13:19:56 +02:00
events
perf/core: Force USER_DS when recording user stack data
2023-05-15 08:20:46 +09:00
gcov
gcov: support GCC 7.1
2017-09-02 07:07:53 +02:00
irq
genirq: Make force irq threading setup more robust
2023-05-12 16:45:57 +09:00
livepatch
livepatch/module: make TAINT_LIVEPATCH module-specific
2016-08-26 14:42:08 +02:00
locking
locking/osq_lock: Fix osq_lock queue corruption
2023-05-15 08:11:00 +09:00
power
PM / sleep: wakeup: Fix build error caused by missing SRCU support
2023-05-12 17:23:49 +09:00
printk
printk/tracing: Do not trace printk_nmi_enter()
2023-05-12 17:24:47 +09:00
rcu
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
sched
sched/wait: Remove the lockless swait_active() check in swake_up*()
2023-05-12 16:45:19 +09:00
time
timers: Clear timer_base::must_forward_clk with timer_base::lock held
2023-05-15 08:13:51 +09:00
trace
uprobes: Use synchronize_rcu() not synchronize_sched()
2023-05-12 17:23:42 +09:00
.gitignore
certs: add .gitignore to stop git nagging about x509_certificate_list
2015-10-21 15:18:35 +01:00
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-10 09:29:51 +01:00
async.c
kernel/async.c: revert "async: simplify lowest_in_progress()"
2018-02-17 13:21:18 +01:00
audit_fsnotify.c
wrappers for ->i_mutex access
2016-01-22 18:04:28 -05:00
audit_tree.c
audit: cleanup prune_tree_thread
2016-04-04 09:46:47 -04:00
audit_watch.c
audit: fix use-after-free in audit_add_watch
2023-05-15 08:20:49 +09:00
audit.c
audit: return on memory error to avoid null pointer dereference
2018-05-30 07:50:49 +02:00
audit.h
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit
2016-07-29 17:54:17 -07:00
auditfilter.c
audit: allow not equal op for audit by executable
2023-05-12 16:43:50 +09:00
auditsc.c
audit: allow not equal op for audit by executable
2023-05-12 16:43:50 +09:00
backtracetest.c
bounds.c
capability.c
ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
2017-01-06 10:40:13 +01:00
cfi.c
cfi: print target address on failure
2018-05-01 16:49:34 +00:00
cgroup_freezer.c
cgroup: kill cgrp_ss_priv[CGROUP_CANFORK_COUNT] and friends
2015-12-03 10:24:08 -05:00
cgroup_pids.c
cgroup/pids: remove spurious suspicious RCU usage warning
2017-03-26 13:05:58 +02:00
cgroup.c
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
compat.c
19af5c5 dtv_demod: add AGC control for board t309 [1/1]
2019-05-06 21:14:10 +08:00
configs.c
context_tracking.c
context_tracking: Switch to new static_branch API
2015-11-24 09:56:43 +01:00
cpu_pm.c
kernel/cpu_pm: fix cpu_cluster_pm_exit comment
2015-09-03 02:42:20 +02:00
cpu.c
cpu/hotplug: Non-SMP machines do not make use of booted_once
2023-05-12 16:56:08 +09:00
cpuset.c
Merge 4.9.55 into android-4.9
2017-10-12 22:31:24 +02:00
crash_dump.c
cred.c
cred: Reject inodes with invalid ids in set_create_file_as()
2016-06-30 18:05:09 -05:00
delayacct.c
kmemcg: account certain kmem allocations to memcg
2016-01-14 16:00:49 -08:00
dma.c
elfcore.c
exec_domain.c
Remove rest of exec domains.
2015-04-12 21:03:31 +02:00
exit.c
ANDROID: Fix massive cpufreq_times memory leaks
2018-07-18 13:22:08 +00:00
extable.c
kernel/extable.c: mark core_kernel_text notrace
2017-07-21 07:42:21 +02:00
fork.c
kthread: Fix use-after-free if kthread fork fails
2023-05-15 08:10:45 +09:00
freezer.c
freezer, oom: check TIF_MEMDIE on the correct task
2016-07-28 16:07:41 -07:00
futex_compat.c
ptrace: use fsuid, fsgid, effective creds for fs access checks
2016-01-20 17:09:18 -08:00
futex.c
futex: futex_wake_op, fix sign_extend32 sign bits
2018-05-19 10:27:00 +02:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
hung_task.c
hung_task: allow hung_task_panic when hung_task_warnings is 0
2016-10-11 15:06:33 -07:00
irq_work.c
treewide: Remove old email address
2015-11-23 09:44:58 +01:00
jump_label.c
jump_label: Invoke jump_label_test() via early_initcall()
2017-12-14 09:28:24 +01:00
kallsyms.c
rodata: optimize memory usage of rodata section [4/5]
2023-04-21 13:52:34 +09:00
kcmp.c
ptrace: use fsuid, fsgid, effective creds for fs access checks
2016-01-20 17:09:18 -08:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
locking/qrwlock: Rename QUEUE_RWLOCK to QUEUED_RWLOCKS
2015-05-12 09:46:00 +02:00
Kconfig.preempt
kcov.c
kcov: ensure irq code sees a valid area
2023-05-12 16:39:07 +09:00
kexec_core.c
objtool, x86: Add several functions and files to the objtool whitelist
2018-06-05 10:28:57 +02:00
kexec_file.c
kexec: fix double-free when failing to relocate the purgatory
2016-09-01 17:52:01 -07:00
kexec_internal.h
kexec: move some memembers and definitions within the scope of CONFIG_KEXEC_FILE
2016-01-20 17:09:18 -08:00
kexec.c
kexec: allow architectures to override boot mapping
2016-08-02 19:35:27 -04:00
kmod.c
kmod: don't run async usermode helper as a child of kworker thread
2015-10-23 17:55:10 +09:00
kprobes.c
kprobes: Make list and blacklist root user read only
2023-05-12 17:16:44 +09:00
ksysfs.c
kexec: add a kexec_crash_loaded() function
2016-08-02 19:35:30 -04:00
kthread.c
kthread, tracing: Don't expose half-written comm when creating kthreads
2023-05-12 16:38:55 +09:00
latencytop.c
sched/debug: Make schedstats a runtime tunable that is disabled by default
2016-02-09 11:54:23 +01:00
Makefile
rodata: optimize memory usage of rodata section [1/5]
2023-04-21 13:52:34 +09:00
membarrier.c
Fix: Disable sys_membarrier when nohz_full is enabled
2017-03-12 06:41:45 +01:00
memremap.c
mm: Fix devm_memremap_pages() collision handling
2018-02-28 10:18:34 +01:00
module_signing.c
KEYS: Move the point of trust determination to __key_link()
2016-04-11 22:43:43 +01:00
module-internal.h
module.c
rodata: optimize memory usage of rodata section [3/5]
2023-04-21 13:52:34 +09:00
notifier.c
Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2015-09-01 08:40:25 -07:00
nsproxy.c
cgroup: introduce cgroup namespaces
2016-02-16 13:04:58 -05:00
padata.c
padata: free correct variable
2017-05-20 14:28:40 +02:00
panic.c
ramdump: add ramdump support for kernel [4/6]
2018-06-03 02:57:35 -07:00
params.c
Merge tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux
2015-11-09 15:53:39 -08:00
pid_namespace.c
pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
2017-05-25 15:44:38 +02:00
pid.c
pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
2018-04-13 19:47:53 +02:00
profile.c
profile: Convert to hotplug state machine
2016-07-15 10:41:42 +02:00
ptrace.c
ptrace: Properly initialize ptracer_cred on fork
2017-06-14 15:05:54 +02:00
range.c
kernel: avoid overflow in cmp_range
2015-01-17 10:02:23 +13:00
reboot.c
kexec: split kexec_load syscall from kexec core code
2015-09-10 13:29:01 -07:00
relay.c
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
2018-05-30 07:50:29 +02:00
resource.c
resource: fix integer overflow at reallocation
2018-04-24 09:34:09 +02:00
seccomp.c
seccomp: Move speculation migitation control to arch code
2018-05-22 16:58:02 +02:00
signal.c
kernel/signal.c: avoid undefined behaviour in kill_something_info
2018-05-30 07:50:18 +02:00
smp.c
cpu/hotplug: Fix SMT supported evaluation
2023-05-12 16:55:46 +09:00
smpboot.c
kthread/smpboot: do not park in kthread_create_on_cpu()
2016-10-11 15:06:33 -07:00
smpboot.h
cpu/hotplug: Create hotplug threads
2016-03-01 20:36:56 +01:00
softirq.c
Mark HI and TASKLET softirq synchronous
2023-05-12 16:46:40 +09:00
stacktrace.c
stacktrace, lockdep: Fix address, newline ugliness
2017-02-14 15:25:42 -08:00
stop_machine.c
stop_machine: Use raw spinlocks
2023-05-12 16:43:35 +09:00
sys_ni.c
x86/pkeys: Fix pkeys build breakage for some non-x86 arches
2016-09-13 14:41:36 +02:00
sys.c
sys: don't hold uts_sem while accessing userspace memory
2023-05-12 17:24:20 +09:00
sysctl_binary.c
kernel/sysctl_binary.c: use generic UUID library
2016-05-20 17:58:30 -07:00
sysctl.c
sched/sysctl: Check user input value of sysctl_sched_time_avg
2023-05-12 17:14:54 +09:00
task_work.c
task_work: use READ_ONCE/lockless_dereference, avoid pi_lock if !task_works
2016-08-02 19:35:02 -04:00
taskstats.c
taskstats: fix the length of cgroupstats_cmd_get_policy
2016-11-03 16:55:58 -04:00
test_kprobes.c
torture.c
torture: Convert torture_shutdown() to hrtimer
2016-08-22 10:01:49 -07:00
tracepoint.c
tracepoint: Do not warn on ENOMEM
2018-05-09 09:50:20 +02:00
tsacct.c
time, acct: Drop irq save & restore from __acct_update_integrals()
2016-02-29 09:53:09 +01:00
ucount.c
kernel/ucount.c: mark user_header with kmemleak_ignore()
2017-06-17 06:41:51 +02:00
uid16.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
up.c
smp: Add function to execute a function synchronously on a CPU
2016-09-05 13:52:39 +02:00
user_namespace.c
userns: move user access out of the mutex
2023-05-12 17:24:22 +09:00
user-return-notifier.c
user.c
ANDROID: proc: Add /proc/uid directory
2018-04-03 11:15:30 -07:00
utsname_sysctl.c
sys: don't hold uts_sem while accessing userspace memory
2023-05-12 17:24:20 +09:00
utsname.c
Merge branch 'nsfs-ioctls' into HEAD
2016-09-22 20:00:36 -05:00
watchdog_hld.c
debug: hard lockup detect
2018-05-09 19:39:28 -07:00
watchdog.c
debug: hard lockup detect
2018-05-09 19:39:28 -07:00
workqueue_internal.h
workqueue: Fix NULL pointer dereference
2017-11-15 15:53:17 +01:00
workqueue.c
Merge branch 'android-4.9' into amlogic-4.9-dev
2018-08-07 14:43:24 +08:00