[Devel] [PATCH RHEL7 COMMIT] ms/audit: fix potential null dereference 'context->module.name'

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 16 14:05:43 MSK 2020 

The commit is pushed to "branch-rh7-3.10.0-1127.10.1.vz7.162.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.10.1.vz7.162.3
------>
commit c7ac7f4dc2e5776053ba57cd24c3aef4c4025978
Author: Yi Wang <wang.yi59 at zte.com.cn>
Date:   Wed Jul 25 10:26:19 2018 +0800

    ms/audit: fix potential null dereference 'context->module.name'
    
    The variable 'context->module.name' may be null pointer when
    kmalloc return null, so it's better to check it before using
    to avoid null dereference.
    Another one more thing this patch does is using kstrdup instead
    of (kmalloc + strcpy), and signal a lost record via audit_log_lost.
    
    Cc: stable at vger.kernel.org # 4.11
    Signed-off-by: Yi Wang <wang.yi59 at zte.com.cn>
    Reviewed-by: Jiang Biao <jiang.biao2 at zte.com.cn>
    Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
    Signed-off-by: Paul Moore <paul at paul-moore.com>
    
    https://jira.sw.ru/browse/PSBM-104567
    
    (cherry picked from commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/auditsc.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1c5733e369199..1ab4049439641 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1277,8 +1277,12 @@ static void show_special(struct audit_context *context, int *call_panic)
 		break;
 	case AUDIT_KERN_MODULE:
 		audit_log_format(ab, "name=");
-		audit_log_untrustedstring(ab, context->module.name);
-		kfree(context->module.name);
+		if (context->module.name) {
+			audit_log_untrustedstring(ab, context->module.name);
+			kfree(context->module.name);
+		} else
+			audit_log_format(ab, "(null)");
+
 		break;
 	}
 	audit_log_end(ab);
@@ -2431,8 +2435,9 @@ void __audit_log_kern_module(char *name)
 {
 	struct audit_context *context = current->audit_context;
 
-	context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
-	strcpy(context->module.name, name);
+	context->module.name = kstrdup(name, GFP_KERNEL);
+	if (!context->module.name)
+		audit_log_lost("out of memory in __audit_log_kern_module");
 	context->type = AUDIT_KERN_MODULE;
 }

More information about the Devel mailing list