On Fri, Feb 02, 2024 at 04:05:09PM +0000, Al Viro wrote:
> Use After Free. Really. And "untrusted" in the function name does not
> refer to "it might be pointing to unmapped page" - it's just "don't
> expect anything from the characters you might find there, including
> the presence of NUL".
Argh... s/including/beyond the/ - sorry. Messed up rewriting the
sentence.
"Untrusted" refers to the lack of whitespaces, control characters, '"',
etc. What audit_log_untrustedstring(ab, string) expects is
* string pointing to readable memory object
* the object remaining unchanged through the call
* NUL existing somewhere in that object.
All of those assertions can be violated once the object string
used to point to has been passed to kmem_cache_free(). Which is what
can very well happen to filename pointer in this case.
