From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Qualys Security Advisory <qsa@qualys.com>,
Salvatore Bonaccorso <carnil@debian.org>,
Georgia Garcia <georgia.garcia@canonical.com>,
Cengiz Can <cengiz.can@canonical.com>,
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 6.18 04/13] apparmor: fix memory leak in verify_header
Date: Thu, 12 Mar 2026 21:03:45 +0100 [thread overview]
Message-ID: <20260312200326.409481409@linuxfoundation.org> (raw)
In-Reply-To: <20260312200326.246396673@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit e38c55d9f834e5b848bfed0f5c586aaf45acb825 upstream.
The function sets `*ns = NULL` on every call, leaking the namespace
string allocated in previous iterations when multiple profiles are
unpacked. This also breaks namespace consistency checking since *ns
is always NULL when the comparison is made.
Remove the incorrect assignment.
The caller (aa_unpack) initializes *ns to NULL once before the loop,
which is sufficient.
Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 1 -
1 file changed, 1 deletion(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1177,7 +1177,6 @@ static int verify_header(struct aa_ext *
{
int error = -EPROTONOSUPPORT;
const char *name = NULL;
- *ns = NULL;
/* get the interface version */
if (!aa_unpack_u32(e, &e->version, "version")) {
next prev parent reply other threads:[~2026-03-12 20:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 20:03 [PATCH 6.18 00/13] 6.18.18-rc1 review Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 01/13] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 02/13] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 03/13] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-03-12 20:03 ` Greg Kroah-Hartman [this message]
2026-03-12 20:03 ` [PATCH 6.18 05/13] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 06/13] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 07/13] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 08/13] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 09/13] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 10/13] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 11/13] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 12/13] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 13/13] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-03-12 20:41 ` [PATCH 6.18 00/13] 6.18.18-rc1 review Brett A C Sheffield
2026-03-13 3:23 ` Shuah Khan
2026-03-13 5:24 ` Ron Economos
2026-03-13 10:56 ` Barry K. Nathan
2026-03-13 16:16 ` Jon Hunter
2026-03-13 16:40 ` Mark Brown
2026-03-13 18:03 ` Florian Fainelli
2026-03-13 21:15 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312200326.409481409@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=carnil@debian.org \
--cc=cengiz.can@canonical.com \
--cc=georgia.garcia@canonical.com \
--cc=john.johansen@canonical.com \
--cc=massimiliano.pellizzer@canonical.com \
--cc=patches@lists.linux.dev \
--cc=qsa@qualys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox