6.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fort stanislav.fort@aisle.com
commit 4540f1d23e7f387880ce46d11b5cd3f27248bf8d upstream.
When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path().
The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.
Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access.
Cc: stable@vger.kernel.org Fixes: e92eebb0d611 ("audit: fix suffixed '/' filename matching") Reported-by: Stanislav Fort disclosure@aisle.com Suggested-by: Linus Torvalds torvalds@linuxfoundation.org Signed-off-by: Stanislav Fort stanislav.fort@aisle.com [PM: subject tweak, sign-off email fixes] Signed-off-by: Paul Moore paul@paul-moore.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- kernel/auditfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1326,7 +1326,7 @@ int audit_compare_dname_path(const struc
/* handle trailing slashes */ pathlen -= parentlen; - while (p[pathlen - 1] == '/') + while (pathlen > 0 && p[pathlen - 1] == '/') pathlen--;
if (pathlen != dlen)