3 files changed, 24 insertions, 6 deletions

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 5e6180a4da7d..b563fbd4d122 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -204,7 +204,7 @@ int ima_store_template(struct ima_template_entry *entry, int violation,
                        struct inode *inode,
                        const unsigned char *filename, int pcr);
 void ima_free_template_entry(struct ima_template_entry *entry);
-const char *ima_d_path(const struct path *path, char **pathbuf);
+const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
 
 /* IMA policy related functions */
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 9df26a2b75ba..d01a52f8f708 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -318,7 +318,17 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
         iint->flags |= IMA_AUDITED;
 }
 
-const char *ima_d_path(const struct path *path, char **pathbuf)
+/*
+ * ima_d_path - return a pointer to the full pathname
+ *
+ * Attempt to return a pointer to the full pathname for use in the
+ * IMA measurement list, IMA audit records, and auditing logs.
+ *
+ * On failure, return a pointer to a copy of the filename, not dname.
+ * Returning a pointer to dname, could result in using the pointer
+ * after the memory has been freed.
+ */
+const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
 {
         char *pathname = NULL;
 
@@ -331,5 +341,11 @@ const char *ima_d_path(const struct path *path, char **pathbuf)
                         pathname = NULL;
                 }
         }
-        return pathname ?: (const char *)path->dentry->d_name.name;
+
+        if (!pathname) {
+                strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
+                pathname = namebuf;
+        }
+
+        return pathname;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 50818c60538b..d5e492bd2899 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -83,6 +83,7 @@ static void ima_rdwr_violation_check(struct file *file,
                                      const char **pathname)
 {
         struct inode *inode = file_inode(file);
+        char filename[NAME_MAX];
         fmode_t mode = file->f_mode;
         bool send_tomtou = false, send_writers = false;
 
@@ -102,7 +103,7 @@ static void ima_rdwr_violation_check(struct file *file,
         if (!send_tomtou && !send_writers)
                 return;
 
-        *pathname = ima_d_path(&file->f_path, pathbuf);
+        *pathname = ima_d_path(&file->f_path, pathbuf, filename);
 
         if (send_tomtou)
                 ima_add_violation(file, *pathname, iint,
@@ -161,6 +162,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
         struct integrity_iint_cache *iint = NULL;
         struct ima_template_desc *template_desc;
         char *pathbuf = NULL;
+        char filename[NAME_MAX];
         const char *pathname = NULL;
         int rc = -ENOMEM, action, must_appraise;
         int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
@@ -239,8 +241,8 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
                 goto out_digsig;
         }
 
-        if (!pathname)  /* ima_rdwr_violation possibly pre-fetched */
-                pathname = ima_d_path(&file->f_path, &pathbuf);
+        if (!pathbuf)   /* ima_rdwr_violation possibly pre-fetched */
+                pathname = ima_d_path(&file->f_path, &pathbuf, filename);
 
         if (action & IMA_MEASURE)
                 ima_store_measurement(iint, file, pathname,