Audit: fix audit watch use after free

When an audit watch is added to a parent the temporary watch inside the original krule from userspace is freed. Yet the original watch is used after the real watch was created in audit_add_rules() Signed-off-by: Eric Paris <eparis@redhat.com>

Audit: fix audit watch use after free
When an audit watch is added to a parent the temporary watch inside the original krule from userspace is freed. Yet the original watch is used after the real watch was created in audit_add_rules() Signed-off-by: Eric Paris <eparis@redhat.com>
Eric Paris · Al Viro
1 parent 4e8a2372f9
Showing 1 changed file with 2 additions and 0 deletions Side-by-side Diff
kernel/auditfilter.c
@@ -1320,6 +1320,8 @@
 			mutex_unlock(&audit_filter_mutex);
 			goto error;
 		}
+		/* entry->rule.watch may have changed during audit_add_watch() */
+		watch = entry->rule.watch;
 		h = audit_hash_ino((u32)watch->ino);
 		list = &audit_inode_hash[h];
 	}
...	...	@@ -1320,6 +1320,8 @@
1320	1320	mutex_unlock(&audit_filter_mutex);
1321	1321	goto error;
1322	1322	}
	1323	+ /* entry->rule.watch may have changed during audit_add_watch() */
	1324	+ watch = entry->rule.watch;
1323	1325	h = audit_hash_ino((u32)watch->ino);
1324	1326	list = &audit_inode_hash[h];
1325	1327	}