From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Qualys Security Advisory <qsa@qualys.com>,
Salvatore Bonaccorso <carnil@debian.org>,
Georgia Garcia <georgia.garcia@canonical.com>,
Cengiz Can <cengiz.can@canonical.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 6.18 09/13] apparmor: Fix double free of ns_name in aa_replace_profiles()
Date: Thu, 12 Mar 2026 21:03:50 +0100 [thread overview]
Message-ID: <20260312200326.586390381@linuxfoundation.org> (raw)
In-Reply-To: <20260312200326.246396673@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 5df0c44e8f5f619d3beb871207aded7c78414502 upstream.
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
Fixes: 145a0ef21c8e9 ("apparmor: fix blob compression when ns is forced on a policy load
")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1149,6 +1149,7 @@ ssize_t aa_replace_profiles(struct aa_ns
goto fail;
}
ns_name = ent->ns_name;
+ ent->ns_name = NULL;
} else
count++;
}
next prev parent reply other threads:[~2026-03-12 20:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 20:03 [PATCH 6.18 00/13] 6.18.18-rc1 review Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 01/13] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 02/13] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 03/13] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 04/13] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 05/13] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 06/13] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 07/13] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 08/13] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-03-12 20:03 ` Greg Kroah-Hartman [this message]
2026-03-12 20:03 ` [PATCH 6.18 10/13] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 11/13] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 12/13] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.18 13/13] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-03-12 20:41 ` [PATCH 6.18 00/13] 6.18.18-rc1 review Brett A C Sheffield
2026-03-13 3:23 ` Shuah Khan
2026-03-13 5:24 ` Ron Economos
2026-03-13 10:56 ` Barry K. Nathan
2026-03-13 16:16 ` Jon Hunter
2026-03-13 16:40 ` Mark Brown
2026-03-13 18:03 ` Florian Fainelli
2026-03-13 21:15 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312200326.586390381@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=carnil@debian.org \
--cc=cengiz.can@canonical.com \
--cc=georgia.garcia@canonical.com \
--cc=john.johansen@canonical.com \
--cc=patches@lists.linux.dev \
--cc=qsa@qualys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox