[PATCH 3.2 036/147] audit: Fix use after free in audit_remove_watch_rule()

From: Ben Hutchings
Date: Mon Nov 06 2017 - 18:30:15 EST


3.2.95-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@xxxxxxx>

commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.

audit_remove_watch_rule() drops watch's reference to parent but then
continues to work with it. That is not safe as parent can get freed once
we drop our reference. The following is a trivial reproducer:

mount -o loop image /mnt
touch /mnt/file
auditctl -w /mnt/file -p wax
umount /mnt
auditctl -D
<crash in fsnotify_destroy_mark()>

Grab our own reference in audit_remove_watch_rule() earlier to make sure
mark does not get freed under us.

Reported-by: Tony Jones <tonyj@xxxxxxx>
Signed-off-by: Jan Kara <jack@xxxxxxx>
Tested-by: Tony Jones <tonyj@xxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
kernel/audit_watch.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -471,13 +471,15 @@ void audit_remove_watch_rule(struct audi
list_del(&krule->rlist);

if (list_empty(&watch->rules)) {
+ /*
+ * audit_remove_watch() drops our reference to 'parent' which
+ * can get freed. Grab our own reference to be safe.
+ */
+ audit_get_parent(parent);
audit_remove_watch(watch);
-
- if (list_empty(&parent->watches)) {
- audit_get_parent(parent);
+ if (list_empty(&parent->watches))
fsnotify_destroy_mark(&parent->mark);
- audit_put_parent(parent);
- }
+ audit_put_parent(parent);
}
}