[PATCH] apparmor: fix use-after-free in policy replacement path

[PATCH] apparmor: fix use-after-free in policy replacement path

[Junxiao Chang]

A use-after-free issue can be triggered when running the
following stress-ng workload:

```
sudo stress-ng --apparmor 0 --timeout 30 \
    --oom-avoid-bytes 10% --skip-silent --verbose
```

The warning looks like:

```
refcount_t: addition on 0; use-after-free
aa_replace_profiles+0xbe5/0x12a0
policy_update+0xdb/0x170
profile_replace+0x4b/0xb0
```

The issue can be reproduced on both v7.1-rc7 and Ubuntu
6.17.0-35-generic kernels.

aa_get_profile_loaddata() requires the supplied loaddata object
to hold a valid reference. However, the loaddata reference count
may already have reached zero in the replacement loop, resulting
in a use-after-free condition.

Avoid calling aa_get_profile_loaddata() on loaddata objects with
a zero reference count and skip those entries instead.

Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
---
 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index b6a5eb4021dbd..98f84d4552697 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1220,7 +1220,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
 	/* check for duplicate rawdata blobs: space and file dedup */
 	if (!list_empty(&ns->rawdata_list)) {
 		list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
-			if (aa_rawdata_eq(rawdata_ent, udata)) {
+			if (kref_read(&rawdata_ent->pcount) && aa_rawdata_eq(rawdata_ent, udata)) {
 				struct aa_loaddata *tmp;
 
 				tmp = aa_get_profile_loaddata(rawdata_ent);
-- 
2.43.0

Re: [PATCH] apparmor: fix use-after-free in policy replacement path

[John Johansen]

On 6/12/26 23:04, Junxiao Chang wrote:
> A use-after-free issue can be triggered when running the
> following stress-ng workload:
> 
> ```
> sudo stress-ng --apparmor 0 --timeout 30 \
>      --oom-avoid-bytes 10% --skip-silent --verbose
> ```
> 
> The warning looks like:
> 
> ```
> refcount_t: addition on 0; use-after-free
> aa_replace_profiles+0xbe5/0x12a0
> policy_update+0xdb/0x170
> profile_replace+0x4b/0xb0
> ```
> 
> The issue can be reproduced on both v7.1-rc7 and Ubuntu
> 6.17.0-35-generic kernels.
> 
> aa_get_profile_loaddata() requires the supplied loaddata object
> to hold a valid reference. However, the loaddata reference count
> may already have reached zero in the replacement loop, resulting
> in a use-after-free condition.
> 
> Avoid calling aa_get_profile_loaddata() on loaddata objects with
> a zero reference count and skip those entries instead.
> 
> Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
> Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>

sorry I went with Ruslan Valiyev's earlier patch that fixes the same
issue
    apparmor: fix use-after-free in rawdata dedup loop

> ---
>   security/apparmor/policy.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index b6a5eb4021dbd..98f84d4552697 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -1220,7 +1220,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
>   	/* check for duplicate rawdata blobs: space and file dedup */
>   	if (!list_empty(&ns->rawdata_list)) {
>   		list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
> -			if (aa_rawdata_eq(rawdata_ent, udata)) {
> +			if (kref_read(&rawdata_ent->pcount) && aa_rawdata_eq(rawdata_ent, udata)) {
>   				struct aa_loaddata *tmp;
>   
>   				tmp = aa_get_profile_loaddata(rawdata_ent);