Commit 4540f1d2 authored Sep 02, 2025 by Stanislav Fort Committed by Paul Moore Sep 03, 2025

audit: fix out-of-bounds read in audit_compare_dname_path()



When a watch on dir=/ is combined with an fsnotify event for a
single-character name directly under / (e.g., creating /a), an
out-of-bounds read can occur in audit_compare_dname_path().

The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
when parentlen equals the full path length (1), the code sets p = path + 1
and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.

Fix this by adding a pathlen > 0 check to the while loop condition
to prevent the out-of-bounds access.

Cc: stable@vger.kernel.org
Fixes: e92eebb0 ("audit: fix suffixed '/' filename matching")
Reported-by: Stanislav Fort <disclosure@aisle.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
[PM: subject tweak, sign-off email fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 8f5ae30d

kernel/auditfilter.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1326,7 +1326,7 @@ int audit_compare_dname_path(const struct qstr dname, const char path, int par

		/* handle trailing slashes */
		pathlen -= parentlen;
		while (p[pathlen - 1] == '/')
		while (pathlen > 0 && p[pathlen - 1] == '/')
		pathlen--;

		if (pathlen != dlen)