summaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_api.c
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2017-01-17 12:45:41 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-01-27 20:16:02 +0100
commitbc15ed663e7e53ee4dc3e60f8d09c93a0528c694 (patch)
tree7ab298e6fac6256585436cd3f78b8b1fa36daa02 /security/integrity/ima/ima_api.c
parentMerge branch 'smack-for-4.11' of git://github.com/cschaufler/smack-next into ... (diff)
downloadlinux-bc15ed663e7e53ee4dc3e60f8d09c93a0528c694.tar.xz
linux-bc15ed663e7e53ee4dc3e60f8d09c93a0528c694.zip
ima: fix ima_d_path() possible race with rename
On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org
Diffstat (limited to 'security/integrity/ima/ima_api.c')
-rw-r--r--security/integrity/ima/ima_api.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 9df26a2b75ba..d01a52f8f708 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -318,7 +318,17 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
iint->flags |= IMA_AUDITED;
}
-const char *ima_d_path(const struct path *path, char **pathbuf)
+/*
+ * ima_d_path - return a pointer to the full pathname
+ *
+ * Attempt to return a pointer to the full pathname for use in the
+ * IMA measurement list, IMA audit records, and auditing logs.
+ *
+ * On failure, return a pointer to a copy of the filename, not dname.
+ * Returning a pointer to dname, could result in using the pointer
+ * after the memory has been freed.
+ */
+const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
{
char *pathname = NULL;
@@ -331,5 +341,11 @@ const char *ima_d_path(const struct path *path, char **pathbuf)
pathname = NULL;
}
}
- return pathname ?: (const char *)path->dentry->d_name.name;
+
+ if (!pathname) {
+ strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
+ pathname = namebuf;
+ }
+
+ return pathname;
}