CVE-2025-39840: audit: fix out-of-bounds read in audit_compare_dname_path()

CKI Backport Botrequested to merge
redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream/src/kernel/centos-stream-9:backport-RHEL-119177-centos-stream-9-main into main

JIRA: https://issues.redhat.com/browse/RHEL-119177
CVE: CVE-2025-39840

commit 4540f1d23e7f387880ce46d11b5cd3f27248bf8d
Author: Stanislav Fort <stanislav.fort@aisle.com>
Date:   Tue Sep 2 14:00:49 2025 +0300

    audit: fix out-of-bounds read in audit_compare_dname_path()
    
    When a watch on dir=/ is combined with an fsnotify event for a
    single-character name directly under / (e.g., creating /a), an
    out-of-bounds read can occur in audit_compare_dname_path().
    
    The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
    when parentlen equals the full path length (1), the code sets p = path + 1
    and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
    p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.
    
    Fix this by adding a pathlen > 0 check to the while loop condition
    to prevent the out-of-bounds access.
    
    Cc: stable@vger.kernel.org
    Fixes: e92eebb0d611 ("audit: fix suffixed '/' filename matching")
    Reported-by: Stanislav Fort <disclosure@aisle.com>
    Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
    Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
    [PM: subject tweak, sign-off email fixes]
    Signed-off-by: Paul Moore <paul@paul-moore.com>

Signed-off-by: CKI Backport Bot cki-ci-bot+cki-gitlab-backport-bot@redhat.com

Created 2025-10-03 13:06 UTC by backporter - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

Merge request reports