From: Dan Carpenter <dan.carpenter@oracle.com>
To: mjg59@google.com
Cc: linux-security-module@vger.kernel.org
Subject: [bug report] apparmor: Parse secmark policy
Date: Wed, 10 Oct 2018 13:42:28 +0300 [thread overview]
Message-ID: <20181010104228.GA15360@mwanda> (raw)
Hello Matthew Garrett,
The patch 9caafbe2b4cf: "apparmor: Parse secmark policy" from May 24,
2018, leads to the following static checker warning:
security/apparmor/policy_unpack.c:580 unpack_secmark()
warn: should '(struct aa_profile)->secmark' be freed with kzfree()'
security/apparmor/policy_unpack.c
558 profile->secmark_count = size;
559
560 for (i = 0; i < size; i++) {
561 if (!unpack_u8(e, &profile->secmark[i].audit, NULL))
562 goto fail;
563 if (!unpack_u8(e, &profile->secmark[i].deny, NULL))
564 goto fail;
565 if (!unpack_strdup(e, &profile->secmark[i].label, NULL))
566 goto fail;
567 }
568 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
569 goto fail;
570 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
571 goto fail;
572 }
573
574 return 1;
575
576 fail:
577 if (profile->secmark) {
578 for (i = 0; i < size; i++)
579 kfree(profile->secmark[i].label);
^^^^^^^^^^^^^^^^^^^^^^^^^
580 kfree(profile->secmark);
^^^^^^^^^^^^^^^^
Smatch thinks that these need to be zeroed for security. I don't know
the details though.
581 profile->secmark_count = 0;
582 }
583
584 e->pos = pos;
585 return 0;
586 }
regards,
dan carpenter
next reply other threads:[~2018-10-10 10:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-10 10:42 Dan Carpenter [this message]
2018-10-10 16:04 ` [bug report] apparmor: Parse secmark policy Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181010104228.GA15360@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).