> Modern mount tools (util-linux >= 2.39.1) use the new mount API
> (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
> syscall. The generic SYSCALL audit record logs the fsopen syscall but
> does not capture the filesystem name string, creating an audit gap for
> filesystem mount operations.
> 
> Add an FSOPEN auxiliary record that logs the dereferenced filesystem
> name string passed to fsopen(2).
> 
>   type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
>   type=FSOPEN  ... : fs_name="tmpfs"
> 
> Link: https://github.com/linux-audit/audit-kernel/issues/152
> Signed-off-by: Ricardo Robaina <[email protected]>
>
> diff --git a/fs/fsopen.c b/fs/fsopen.c
> index ae19e5136598..8b07f9d42be2 100644
> --- a/fs/fsopen.c
> +++ b/fs/fsopen.c
> @@ -15,6 +15,7 @@
>  #include <linux/namei.h>
>  #include <linux/file.h>
>  #include <uapi/linux/mount.h>
> +#include <linux/audit.h>
>  #include "internal.h"
>  #include "mount.h"
>  
> @@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, 
> unsigned int, flags)
>       if (ret < 0)
>               goto err_fc;
>  
> +     audit_log_fsopen(fs_name);

Right above:

        fs_type = get_fs_type(fs_name);
        kfree(fs_name);
        if (!fs_type)
                return -ENODEV;

So that's a UAF.

-- 
Christian Brauner <[email protected]>

Reply via email to