From: Navid Emamdoost <navid.emamdoost@gmail.com>
To: tyhicks@canonical.com
Cc: emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu,
Navid Emamdoost <navid.emamdoost@gmail.com>,
John Johansen <john.johansen@canonical.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init
Date: Mon, 21 Oct 2019 11:05:31 -0500 [thread overview]
Message-ID: <20191021160532.7719-1-navid.emamdoost@gmail.com> (raw)
In-Reply-To: <20191021154533.GB12140@elm>
In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.
Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v3:
-- applied Tyler Hicks recommendation on err initialization.
security/apparmor/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..597732503815 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
GFP_KERNEL, true, false);
if (IS_ERR(rule->label)) {
+ int err = PTR_ERR(rule->label);
aa_audit_rule_free(rule);
- return PTR_ERR(rule->label);
+ return err;
}
*vrule = rule;
--
2.17.1
next prev parent reply other threads:[~2019-10-21 16:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-17 1:46 [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init Navid Emamdoost
2019-10-20 14:16 ` Markus Elfring
2019-10-20 14:16 ` Markus Elfring
2019-10-20 18:49 ` John Johansen
2019-10-20 18:49 ` John Johansen
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
2019-10-21 16:05 ` Navid Emamdoost [this message]
2019-10-21 16:08 ` [PATCH v3] " Tyler Hicks
2019-10-21 16:06 ` [PATCH v2] " Navid Emamdoost
2019-10-24 6:20 ` kbuild test robot
2019-10-24 6:20 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2019-10-21 15:25 ` [PATCH] " Navid Emamdoost
2019-10-21 15:25 ` Navid Emamdoost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191021160532.7719-1-navid.emamdoost@gmail.com \
--to=navid.emamdoost@gmail.com \
--cc=emamd001@umn.edu \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=smccaman@umn.edu \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.