The user pointer was being illegally dereferenced directly to get the open_how flags data in audit_match_perm. Use the previously saved flags data elsewhere in the context instead.
Coverage is provided by the audit-testsuite syscalls_file test case.
Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall") Reported-by: Jeff Mahoney jeffm@suse.com Signed-off-by: Richard Guy Briggs rgb@redhat.com --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fce5d43a933f..81ab510a7be4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask) case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; case AUDITSC_OPENAT2: - return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); + return mask & ACC_MODE((u32)(ctx->openat2.flags)); default: return 0; }