From: Tyler Hicks <tyhicks@canonical.com>
To: Navid Emamdoost <navid.emamdoost@gmail.com>
Cc: emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu,
John Johansen <john.johansen@canonical.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init
Date: Mon, 21 Oct 2019 11:08:14 -0500 [thread overview]
Message-ID: <20191021160814.GC12140@elm> (raw)
In-Reply-To: <20191021160532.7719-1-navid.emamdoost@gmail.com>
On 2019-10-21 11:05:31, Navid Emamdoost wrote:
> In the implementation of aa_audit_rule_init(), when aa_label_parse()
> fails the allocated memory for rule is released using
> aa_audit_rule_free(). But after this release, the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releasing the rule, copy errNo and return it
> after release.
>
> Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Thanks!
Tyler
> ---
> Changes in v3:
> -- applied Tyler Hicks recommendation on err initialization.
>
> security/apparmor/audit.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> index 5a98661a8b46..597732503815 100644
> --- a/security/apparmor/audit.c
> +++ b/security/apparmor/audit.c
> @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> GFP_KERNEL, true, false);
> if (IS_ERR(rule->label)) {
> + int err = PTR_ERR(rule->label);
> aa_audit_rule_free(rule);
> - return PTR_ERR(rule->label);
> + return err;
> }
>
> *vrule = rule;
> --
> 2.17.1
>
next prev parent reply other threads:[~2019-10-21 16:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-17 1:46 [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init Navid Emamdoost
2019-10-20 14:16 ` Markus Elfring
2019-10-20 18:49 ` John Johansen
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
2019-10-21 16:05 ` [PATCH v3] " Navid Emamdoost
2019-10-21 16:08 ` Tyler Hicks [this message]
2019-10-21 16:06 ` [PATCH v2] " Navid Emamdoost
2019-10-24 6:20 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2019-10-21 15:25 ` [PATCH] " Navid Emamdoost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191021160814.GC12140@elm \
--to=tyhicks@canonical.com \
--cc=emamd001@umn.edu \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=navid.emamdoost@gmail.com \
--cc=serge@hallyn.com \
--cc=smccaman@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).