[PATCH v1] audit: fix illegal pointer dereference for openat2

Wednesday, 9 February 2022

The user pointer was being illegally dereferenced directly to get the
open_how flags data in audit_match_perm.  Use the previously saved flags
data elsewhere in the context instead.

Coverage is provided by the audit-testsuite syscalls_file test case.

Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney <jeffm(a)suse.com&gt;
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt;
---
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fce5d43a933f..81ab510a7be4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
 	case AUDITSC_EXECVE:
 		return mask & AUDIT_PERM_EXEC;
 	case AUDITSC_OPENAT2:
-		return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
+		return mask & ACC_MODE((u32)(ctx->openat2.flags));
 	default:
 		return 0;
 	}
-- 
2.27.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[PATCH v1] audit: fix illegal pointer dereference for openat2