1 |
From ad982c3be4e60c7d39c03f782733503cbd88fd2a Mon Sep 17 00:00:00 2001 |
2 |
From: Gaosheng Cui <cuigaosheng1@huawei.com> |
3 |
Date: Mon, 22 Aug 2022 10:29:05 +0800 |
4 |
Subject: audit: fix potential double free on error path from fsnotify_add_inode_mark |
5 |
|
6 |
From: Gaosheng Cui <cuigaosheng1@huawei.com> |
7 |
|
8 |
commit ad982c3be4e60c7d39c03f782733503cbd88fd2a upstream. |
9 |
|
10 |
Audit_alloc_mark() assign pathname to audit_mark->path, on error path |
11 |
from fsnotify_add_inode_mark(), fsnotify_put_mark will free memory |
12 |
of audit_mark->path, but the caller of audit_alloc_mark will free |
13 |
the pathname again, so there will be double free problem. |
14 |
|
15 |
Fix this by resetting audit_mark->path to NULL pointer on error path |
16 |
from fsnotify_add_inode_mark(). |
17 |
|
18 |
Cc: stable@vger.kernel.org |
19 |
Fixes: 7b1293234084d ("fsnotify: Add group pointer in fsnotify_init_mark()") |
20 |
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> |
21 |
Reviewed-by: Jan Kara <jack@suse.cz> |
22 |
Signed-off-by: Paul Moore <paul@paul-moore.com> |
23 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
24 |
--- |
25 |
kernel/audit_fsnotify.c | 1 + |
26 |
1 file changed, 1 insertion(+) |
27 |
|
28 |
--- a/kernel/audit_fsnotify.c |
29 |
+++ b/kernel/audit_fsnotify.c |
30 |
@@ -102,6 +102,7 @@ struct audit_fsnotify_mark *audit_alloc_ |
31 |
|
32 |
ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, 0); |
33 |
if (ret < 0) { |
34 |
+ audit_mark->path = NULL; |
35 |
fsnotify_put_mark(&audit_mark->mark); |
36 |
audit_mark = ERR_PTR(ret); |
37 |
} |