[PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Mickaël Salaün]

selinux_lsm_getattr() may not initialize the value's pointer in some
case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
selinux_getselfattr() to avoid an UAF in the kfree() call.

Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Fixes: 762c934317e6 ("SELinux: Add selfattr hooks")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6bf90ace84c..338b023a8c3e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
 			       size_t *size, u32 flags)
 {
 	int rc;
-	char *val;
+	char *val = NULL;
 	int val_len;
 
 	val_len = selinux_lsm_getattr(attr, current, &val);
-- 
2.43.0

[PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Mickaël Salaün]

aa_getprocattr() may not initialize the value's pointer in some case.
As for proc_pid_attr_read(), initialize this pointer to NULL in
apparmor_getselfattr() to avoid an UAF in the kfree() call.

Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 security/apparmor/lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 98e1150bee9d..9a3dcaafb5b1 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -784,7 +784,7 @@ static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
 	int error = -ENOENT;
 	struct aa_task_ctx *ctx = task_ctx(current);
 	struct aa_label *label = NULL;
-	char *value;
+	char *value = NULL;
 
 	switch (attr) {
 	case LSM_ATTR_CURRENT:
-- 
2.43.0

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Mickaël Salaün]

These bugs have been found with syzkaller. I just sent a PR to add
support for the new LSM syscalls:
https://github.com/google/syzkaller/pull/4524


On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> selinux_lsm_getattr() may not initialize the value's pointer in some
> case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> selinux_getselfattr() to avoid an UAF in the kfree() call.
> 
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: stable@vger.kernel.org
> Fixes: 762c934317e6 ("SELinux: Add selfattr hooks")
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index a6bf90ace84c..338b023a8c3e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
>  			       size_t *size, u32 flags)
>  {
>  	int rc;
> -	char *val;
> +	char *val = NULL;
>  	int val_len;
>  
>  	val_len = selinux_lsm_getattr(attr, current, &val);
> -- 
> 2.43.0
> 

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Mickaël Salaün]

On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> selinux_lsm_getattr() may not initialize the value's pointer in some
> case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> selinux_getselfattr() to avoid an UAF in the kfree() call.

Not UAF but NULL pointer dereference (both patches)...

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Mickaël Salaün]

On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote:
> On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> > selinux_lsm_getattr() may not initialize the value's pointer in some
> > case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> > selinux_getselfattr() to avoid an UAF in the kfree() call.
> 
> Not UAF but NULL pointer dereference (both patches)...

Well, that may be the result (as observed with the kfree() call), but
the cause is obviously an uninitialized pointer.

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, Feb 23, 2024 at 2:17 PM Mickaël Salaün <mic@digikod.net> wrote:
> These bugs have been found with syzkaller. I just sent a PR to add
> support for the new LSM syscalls:
> https://github.com/google/syzkaller/pull/4524

Thanks :)

-- 
paul-moore.com

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote:
>
> On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote:
> > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> > > selinux_lsm_getattr() may not initialize the value's pointer in some
> > > case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > selinux_getselfattr() to avoid an UAF in the kfree() call.
> >
> > Not UAF but NULL pointer dereference (both patches)...
>
> Well, that may be the result (as observed with the kfree() call), but
> the cause is obviously an uninitialized pointer.

Adding the SELinux list to the CC line; SELinux folks the original post is here:

* https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net

Thanks for finding this and testing the patch, based on our off-list
discussion, do you mind if I add a Suggested-by?  Looking at this a
bit more I think we'll want to make a few changes to
selinux_lsm_getattr() later, but this patch is a good one for stable
as it not only fixes the bug, but it is a trivial one-liner with very
low risk.

I do think we need to tweak the commit description a bit, what do you
think of the following?

  "selinux_getselfattr() doesn't properly initialize the string
   pointer it passes to selinux_lsm_getattr() which can cause a
   problem when an attribute hasn't been explicitly set;
   selinux_lsm_getattr() returns 0/success, but does not set or
   initialize the string label/attribute.  Failure to properly
   initialize the string causes problems later in
   selinux_getselfattr() when the function attempts to kfree()
   the string."

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
>
> aa_getprocattr() may not initialize the value's pointer in some case.
> As for proc_pid_attr_read(), initialize this pointer to NULL in
> apparmor_getselfattr() to avoid an UAF in the kfree() call.
>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: John Johansen <john.johansen@canonical.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: stable@vger.kernel.org
> Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
>  security/apparmor/lsm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

If you like John, I can send this up to Linus with the related SELinux
fix, I would just need an ACK from you.

> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 98e1150bee9d..9a3dcaafb5b1 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -784,7 +784,7 @@ static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
>         int error = -ENOENT;
>         struct aa_task_ctx *ctx = task_ctx(current);
>         struct aa_label *label = NULL;
> -       char *value;
> +       char *value = NULL;
>
>         switch (attr) {
>         case LSM_ATTR_CURRENT:
> --
> 2.43.0

-- 
paul-moore.com

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Mickaël Salaün]

On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote:
> On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote:
> >
> > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote:
> > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> > > > selinux_lsm_getattr() may not initialize the value's pointer in some
> > > > case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > > selinux_getselfattr() to avoid an UAF in the kfree() call.
> > >
> > > Not UAF but NULL pointer dereference (both patches)...
> >
> > Well, that may be the result (as observed with the kfree() call), but
> > the cause is obviously an uninitialized pointer.
> 
> Adding the SELinux list to the CC line; SELinux folks the original post is here:
> 
> * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net
> 
> Thanks for finding this and testing the patch, based on our off-list
> discussion, do you mind if I add a Suggested-by?  Looking at this a

Sure! I was in a hurry and didn't give it the attention it needed...

> bit more I think we'll want to make a few changes to
> selinux_lsm_getattr() later, but this patch is a good one for stable
> as it not only fixes the bug, but it is a trivial one-liner with very
> low risk.
> 
> I do think we need to tweak the commit description a bit, what do you
> think of the following?
> 
>   "selinux_getselfattr() doesn't properly initialize the string
>    pointer it passes to selinux_lsm_getattr() which can cause a
>    problem when an attribute hasn't been explicitly set;
>    selinux_lsm_getattr() returns 0/success, but does not set or
>    initialize the string label/attribute.  Failure to properly
>    initialize the string causes problems later in
>    selinux_getselfattr() when the function attempts to kfree()
>    the string."

Much better!

Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, Feb 23, 2024 at 5:03 PM Mickaël Salaün <mic@digikod.net> wrote:
> On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote:
> > On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote:
> > >
> > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote:
> > > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote:
> > > > > selinux_lsm_getattr() may not initialize the value's pointer in some
> > > > > case.  As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > > > selinux_getselfattr() to avoid an UAF in the kfree() call.
> > > >
> > > > Not UAF but NULL pointer dereference (both patches)...
> > >
> > > Well, that may be the result (as observed with the kfree() call), but
> > > the cause is obviously an uninitialized pointer.
> >
> > Adding the SELinux list to the CC line; SELinux folks the original post is here:
> >
> > * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net
> >
> > Thanks for finding this and testing the patch, based on our off-list
> > discussion, do you mind if I add a Suggested-by?  Looking at this a
>
> Sure! I was in a hurry and didn't give it the attention it needed...
>
> > bit more I think we'll want to make a few changes to
> > selinux_lsm_getattr() later, but this patch is a good one for stable
> > as it not only fixes the bug, but it is a trivial one-liner with very
> > low risk.
> >
> > I do think we need to tweak the commit description a bit, what do you
> > think of the following?
> >
> >   "selinux_getselfattr() doesn't properly initialize the string
> >    pointer it passes to selinux_lsm_getattr() which can cause a
> >    problem when an attribute hasn't been explicitly set;
> >    selinux_lsm_getattr() returns 0/success, but does not set or
> >    initialize the string label/attribute.  Failure to properly
> >    initialize the string causes problems later in
> >    selinux_getselfattr() when the function attempts to kfree()
> >    the string."
>
> Much better!

Great :)  I just went ahead and merged this into the lsm/stable-6.8
branch to get this some testing in linux-next, although I'm going to
be *shocked* if this commit causes a regression.  I'll send this up to
Linus early next week, and if John wants me to send the AppArmor patch
I'll do that at the same time.

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> >
> > aa_getprocattr() may not initialize the value's pointer in some case.
> > As for proc_pid_attr_read(), initialize this pointer to NULL in
> > apparmor_getselfattr() to avoid an UAF in the kfree() call.
> >
> > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > Cc: John Johansen <john.johansen@canonical.com>
> > Cc: Paul Moore <paul@paul-moore.com>
> > Cc: stable@vger.kernel.org
> > Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> >  security/apparmor/lsm.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> If you like John, I can send this up to Linus with the related SELinux
> fix, I would just need an ACK from you.

Reviewed-by: Paul Moore <paul@paul-moore.com>

This patch looks good to me, and while we've still got at least two
(maybe three?) more weeks before v6.8 is tagged, I think it would be
good to get this up to Linus ASAP.  I'll hold off for another day, but
if we don't see any comment from John I'll go ahead and merge this and
send it up to Linus with the SELinux fix; I'm sure John wouldn't be
happy if v6.8 went out the door without this fix.

> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index 98e1150bee9d..9a3dcaafb5b1 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -784,7 +784,7 @@ static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
> >         int error = -ENOENT;
> >         struct aa_task_ctx *ctx = task_ctx(current);
> >         struct aa_label *label = NULL;
> > -       char *value;
> > +       char *value = NULL;
> >
> >         switch (attr) {
> >         case LSM_ATTR_CURRENT:
> > --
> > 2.43.0

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> > >
> > > aa_getprocattr() may not initialize the value's pointer in some case.
> > > As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > apparmor_getselfattr() to avoid an UAF in the kfree() call.
> > >
> > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > Cc: John Johansen <john.johansen@canonical.com>
> > > Cc: Paul Moore <paul@paul-moore.com>
> > > Cc: stable@vger.kernel.org
> > > Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > ---
> > >  security/apparmor/lsm.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > If you like John, I can send this up to Linus with the related SELinux
> > fix, I would just need an ACK from you.
>
> Reviewed-by: Paul Moore <paul@paul-moore.com>
>
> This patch looks good to me, and while we've still got at least two
> (maybe three?) more weeks before v6.8 is tagged, I think it would be
> good to get this up to Linus ASAP.  I'll hold off for another day, but
> if we don't see any comment from John I'll go ahead and merge this and
> send it up to Linus with the SELinux fix; I'm sure John wouldn't be
> happy if v6.8 went out the door without this fix.

I just merged this into lsm/stable-6.8 and once the automated
build/test has done it's thing and come back clean I'll send this,
along with the associated SELinux fix, up to Linus.  Thanks all.

John, if this commit is problematic please let me know and I'll send a
fix or a revert.

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Tue, Feb 27, 2024 at 11:01 AM Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > > On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > >
> > > > aa_getprocattr() may not initialize the value's pointer in some case.
> > > > As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > > apparmor_getselfattr() to avoid an UAF in the kfree() call.
> > > >
> > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > Cc: John Johansen <john.johansen@canonical.com>
> > > > Cc: Paul Moore <paul@paul-moore.com>
> > > > Cc: stable@vger.kernel.org
> > > > Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> > > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > > ---
> > > >  security/apparmor/lsm.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > If you like John, I can send this up to Linus with the related SELinux
> > > fix, I would just need an ACK from you.
> >
> > Reviewed-by: Paul Moore <paul@paul-moore.com>
> >
> > This patch looks good to me, and while we've still got at least two
> > (maybe three?) more weeks before v6.8 is tagged, I think it would be
> > good to get this up to Linus ASAP.  I'll hold off for another day, but
> > if we don't see any comment from John I'll go ahead and merge this and
> > send it up to Linus with the SELinux fix; I'm sure John wouldn't be
> > happy if v6.8 went out the door without this fix.
>
> I just merged this into lsm/stable-6.8 and once the automated
> build/test has done it's thing and come back clean I'll send this,
> along with the associated SELinux fix, up to Linus.  Thanks all.

In off-list discussions with Mickaël today it was noted that this
patch also needs a fixup to the commit description so I've replaced it
with the following:

  "In apparmor_getselfattr() when an invalid AppArmor
   attribute is requested, or a value hasn't been explicitly
   set for the requested attribute, the label passed to
   aa_put_label() is not properly initialized which can cause
   problems when the pointer value is non-NULL and AppArmor
   attempts to drop a reference on the bogus label object."

I've updated the commit in lsm/stable-6.8 and I'll be sending it to
Linus shortly.

> John, if this commit is problematic please let me know and I'll send a
> fix or a revert.

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Tue, Feb 27, 2024 at 5:09 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Feb 27, 2024 at 11:01 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
> > > On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > > > On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > > >
> > > > > aa_getprocattr() may not initialize the value's pointer in some case.
> > > > > As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > > > apparmor_getselfattr() to avoid an UAF in the kfree() call.
> > > > >
> > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > Cc: John Johansen <john.johansen@canonical.com>
> > > > > Cc: Paul Moore <paul@paul-moore.com>
> > > > > Cc: stable@vger.kernel.org
> > > > > Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> > > > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > > > ---
> > > > >  security/apparmor/lsm.c | 2 +-
> > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > If you like John, I can send this up to Linus with the related SELinux
> > > > fix, I would just need an ACK from you.
> > >
> > > Reviewed-by: Paul Moore <paul@paul-moore.com>
> > >
> > > This patch looks good to me, and while we've still got at least two
> > > (maybe three?) more weeks before v6.8 is tagged, I think it would be
> > > good to get this up to Linus ASAP.  I'll hold off for another day, but
> > > if we don't see any comment from John I'll go ahead and merge this and
> > > send it up to Linus with the SELinux fix; I'm sure John wouldn't be
> > > happy if v6.8 went out the door without this fix.
> >
> > I just merged this into lsm/stable-6.8 and once the automated
> > build/test has done it's thing and come back clean I'll send this,
> > along with the associated SELinux fix, up to Linus.  Thanks all.
>
> In off-list discussions with Mickaël today it was noted that this
> patch also needs a fixup to the commit description so I've replaced it
> with the following:
>
>   "In apparmor_getselfattr() when an invalid AppArmor
>    attribute is requested, or a value hasn't been explicitly
>    set for the requested attribute, the label passed to
>    aa_put_label() is not properly initialized which can cause
>    problems when the pointer value is non-NULL and AppArmor
>    attempts to drop a reference on the bogus label object."
>
> I've updated the commit in lsm/stable-6.8 and I'll be sending it to
> Linus shortly.
>
> > John, if this commit is problematic please let me know and I'll send a
> > fix or a revert.

I also just realized that both this patch and the SELinux have the
stable kernel marking which shouldn't be necessary as the LSM syscalls
are only present in the v6.8-rcX kernels.  I'm going to drop the
stable tagging, but leave the 'Fixes:' tag of course.

-- 
paul-moore.com

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Mickaël Salaün]

On Tue, Feb 27, 2024 at 05:13:58PM -0500, Paul Moore wrote:
> On Tue, Feb 27, 2024 at 5:09 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Feb 27, 2024 at 11:01 AM Paul Moore <paul@paul-moore.com> wrote:
> > > On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
> > > > On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > > > > On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > > > >
> > > > > > aa_getprocattr() may not initialize the value's pointer in some case.
> > > > > > As for proc_pid_attr_read(), initialize this pointer to NULL in
> > > > > > apparmor_getselfattr() to avoid an UAF in the kfree() call.
> > > > > >
> > > > > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > > > > Cc: John Johansen <john.johansen@canonical.com>
> > > > > > Cc: Paul Moore <paul@paul-moore.com>
> > > > > > Cc: stable@vger.kernel.org
> > > > > > Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> > > > > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > > > > ---
> > > > > >  security/apparmor/lsm.c | 2 +-
> > > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > If you like John, I can send this up to Linus with the related SELinux
> > > > > fix, I would just need an ACK from you.
> > > >
> > > > Reviewed-by: Paul Moore <paul@paul-moore.com>
> > > >
> > > > This patch looks good to me, and while we've still got at least two
> > > > (maybe three?) more weeks before v6.8 is tagged, I think it would be
> > > > good to get this up to Linus ASAP.  I'll hold off for another day, but
> > > > if we don't see any comment from John I'll go ahead and merge this and
> > > > send it up to Linus with the SELinux fix; I'm sure John wouldn't be
> > > > happy if v6.8 went out the door without this fix.
> > >
> > > I just merged this into lsm/stable-6.8 and once the automated
> > > build/test has done it's thing and come back clean I'll send this,
> > > along with the associated SELinux fix, up to Linus.  Thanks all.
> >
> > In off-list discussions with Mickaël today it was noted that this
> > patch also needs a fixup to the commit description so I've replaced it
> > with the following:
> >
> >   "In apparmor_getselfattr() when an invalid AppArmor
> >    attribute is requested, or a value hasn't been explicitly
> >    set for the requested attribute, the label passed to
> >    aa_put_label() is not properly initialized which can cause
> >    problems when the pointer value is non-NULL and AppArmor
> >    attempts to drop a reference on the bogus label object."
> >
> > I've updated the commit in lsm/stable-6.8 and I'll be sending it to
> > Linus shortly.
> >
> > > John, if this commit is problematic please let me know and I'll send a
> > > fix or a revert.
> 
> I also just realized that both this patch and the SELinux have the
> stable kernel marking which shouldn't be necessary as the LSM syscalls
> are only present in the v6.8-rcX kernels.  I'm going to drop the
> stable tagging, but leave the 'Fixes:' tag of course.

Looks good, thanks!

> 
> -- 
> paul-moore.com
> 

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[John Johansen]

On 2/27/24 08:01, Paul Moore wrote:
> On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
>> On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
>>> On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
>>>>
>>>> aa_getprocattr() may not initialize the value's pointer in some case.
>>>> As for proc_pid_attr_read(), initialize this pointer to NULL in
>>>> apparmor_getselfattr() to avoid an UAF in the kfree() call.
>>>>
>>>> Cc: Casey Schaufler <casey@schaufler-ca.com>
>>>> Cc: John Johansen <john.johansen@canonical.com>
>>>> Cc: Paul Moore <paul@paul-moore.com>
>>>> Cc: stable@vger.kernel.org
>>>> Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
>>>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>>>> ---
>>>>   security/apparmor/lsm.c | 2 +-
>>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> If you like John, I can send this up to Linus with the related SELinux
>>> fix, I would just need an ACK from you.
>>
>> Reviewed-by: Paul Moore <paul@paul-moore.com>
>>
>> This patch looks good to me, and while we've still got at least two
>> (maybe three?) more weeks before v6.8 is tagged, I think it would be
>> good to get this up to Linus ASAP.  I'll hold off for another day, but
>> if we don't see any comment from John I'll go ahead and merge this and
>> send it up to Linus with the SELinux fix; I'm sure John wouldn't be
>> happy if v6.8 went out the door without this fix.
> 
> I just merged this into lsm/stable-6.8 and once the automated
> build/test has done it's thing and come back clean I'll send this,
> along with the associated SELinux fix, up to Linus.  Thanks all.
> 
> John, if this commit is problematic please let me know and I'll send a
> fix or a revert.
> 

sorry, I am still trying to dig out of my backlog. This is good, you can
certainly have my ACK, I know its already in tree so no point in adding
it there but wanted to just make sure its on list

Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()

[Paul Moore]

On Fri, May 10, 2024 at 12:10 PM John Johansen
<john.johansen@canonical.com> wrote:
> On 2/27/24 08:01, Paul Moore wrote:
> > On Mon, Feb 26, 2024 at 2:59 PM Paul Moore <paul@paul-moore.com> wrote:
> >> On Fri, Feb 23, 2024 at 4:07 PM Paul Moore <paul@paul-moore.com> wrote:
> >>> On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün <mic@digikod.net> wrote:
> >>>>
> >>>> aa_getprocattr() may not initialize the value's pointer in some case.
> >>>> As for proc_pid_attr_read(), initialize this pointer to NULL in
> >>>> apparmor_getselfattr() to avoid an UAF in the kfree() call.
> >>>>
> >>>> Cc: Casey Schaufler <casey@schaufler-ca.com>
> >>>> Cc: John Johansen <john.johansen@canonical.com>
> >>>> Cc: Paul Moore <paul@paul-moore.com>
> >>>> Cc: stable@vger.kernel.org
> >>>> Fixes: 223981db9baf ("AppArmor: Add selfattr hooks")
> >>>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> >>>> ---
> >>>>   security/apparmor/lsm.c | 2 +-
> >>>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> If you like John, I can send this up to Linus with the related SELinux
> >>> fix, I would just need an ACK from you.
> >>
> >> Reviewed-by: Paul Moore <paul@paul-moore.com>
> >>
> >> This patch looks good to me, and while we've still got at least two
> >> (maybe three?) more weeks before v6.8 is tagged, I think it would be
> >> good to get this up to Linus ASAP.  I'll hold off for another day, but
> >> if we don't see any comment from John I'll go ahead and merge this and
> >> send it up to Linus with the SELinux fix; I'm sure John wouldn't be
> >> happy if v6.8 went out the door without this fix.
> >
> > I just merged this into lsm/stable-6.8 and once the automated
> > build/test has done it's thing and come back clean I'll send this,
> > along with the associated SELinux fix, up to Linus.  Thanks all.
> >
> > John, if this commit is problematic please let me know and I'll send a
> > fix or a revert.
>
> sorry, I am still trying to dig out of my backlog. This is good, you can
> certainly have my ACK, I know its already in tree so no point in adding
> it there but wanted to just make sure its on list

No worries, reviews are still appreciated; just because a patch has
made its way up to Linus is no guarantee there isn't something wrong
with it ;)

-- 
paul-moore.com