Linux Kernel Audit Subsystem Out-of-Bounds Read Vulnerability in audit_compare_dname_path()

A vulnerability in the Linux kernel's audit subsystem can lead to an out-of-bounds read in the function audit_compare_dname_path(). This issue arises when a watch is placed on the root directory (dir=/) and an fsnotify event is triggered for a single-character name directly under the root, such as creating a file named '/a'. The vulnerability occurs because the helper function parent_len() returns 1 for the root directory. When this value equals the full path length, the code improperly adjusts the path pointer and length, allowing the subsequent loop to dereference memory outside of the intended bounds. This out-of-bounds read can be exploited under specific conditions, creating a potential security risk.

Impact

Exploitation of this vulnerability can lead to unauthorized memory access, causing an out-of-bounds read that could be leveraged for various attacks, such as information disclosure or memory corruption.

Reproduction

To reproduce this vulnerability, create a watch on the root directory and trigger an fsnotify event for a single-character name directly under the root, such as '/a'. This combination will cause the audit_compare_dname_path() function to read memory out of bounds, creating the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.