• Ronny Chevalier's avatar
    audit: fix use-after-free in audit_add_watch · baa2a4fd
    Ronny Chevalier authored
    audit_add_watch stores locally krule->watch without taking a reference
    on watch. Then, it calls audit_add_to_parent, and uses the watch stored
    Unfortunately, it is possible that audit_add_to_parent updates
    When it happens, it also drops a reference of watch which
    could free the watch.
    How to reproduce (with KASAN enabled):
        auditctl -w /etc/passwd -F success=0 -k test_passwd
        auditctl -w /etc/passwd -F success=1 -k test_passwd2
    The second call to auditctl triggers the use-after-free, because
    audit_to_parent updates krule->watch to use a previous existing watch
    and drops the reference to the newly created watch.
    To fix the issue, we grab a reference of watch and we release it at the
    end of the function.
    Signed-off-by: default avatarRonny Chevalier <ronny.chevalier@hp.com>
    Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
audit_watch.c 14.8 KB