The user pointer was being illegally dereferenced directly to get the open_how flags data in audit_match_perm. Use the previously saved flags data elsewhere in the context instead.
Coverage is provided by the audit-testsuite syscalls_file test case. Cc: [email protected] Link: https://lore.kernel.org/r/[email protected] Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall") Reported-by: Jeff Mahoney <[email protected]> Signed-off-by: Richard Guy Briggs <[email protected]> --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fce5d43a933f..81ab510a7be4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; case AUDITSC_OPENAT2: - return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); + return mask & ACC_MODE((u32)(ctx->openat2.flags)); default: return 0; } -- 2.27.0 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
