diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2017-11-30 11:56:02 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2017-12-18 09:43:48 -0500 |
commit | 4e8581eefe720f8d990b892a8c9d298875e1a299 (patch) | |
tree | 3d2ebfa0c25038f526bda7c8757a9f54b823a52e /security/keys | |
parent | 72bf83b0c978c495ce9f6bfeee1ccd34478b05e6 (diff) |
ima: pass filename to ima_rdwr_violation_check()
ima_rdwr_violation_check() retrieves the full path of a measured file by
calling ima_d_path(). If process_measurement() calls this function, it
reuses the pointer and passes it to the functions to measure/appraise/audit
an accessed file.
After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with
rename"), ima_d_path() first tries to retrieve the full path by calling
d_absolute_path() and, if there is an error, copies the dentry name to the
buffer passed as argument.
However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a
local variable. process_measurement() might be reusing the pointer to an
area in the stack which may have been already overwritten after
ima_rdwr_violation_check() returned.
Correct this issue by passing to ima_rdwr_violation_check() the pointer of
a buffer declared in process_measurement().
Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/keys')
0 files changed, 0 insertions, 0 deletions