[PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

[PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

[Navid Emamdoost]

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release the the return statement
tries to access the label field of the rule which results in
use-after-free. Before releaseing the rule, copy errNo and return it
after releasing rule.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 security/apparmor/audit.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..48c15fb0aafe 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -178,6 +178,7 @@ void aa_audit_rule_free(void *vrule)
 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 {
 	struct aa_audit_rule *rule;
+	int err;
 
 	switch (field) {
 	case AUDIT_SUBJ_ROLE:
@@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
+		err = rule->label;
 		aa_audit_rule_free(rule);
-		return PTR_ERR(rule->label);
+		return PTR_ERR(err);
 	}
 
 	*vrule = rule;
-- 
2.17.1

Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

[Markus Elfring]

> … But after this release the the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releaseing the rule, copy errNo and return it
> after releasing rule.

Please avoid a duplicate word and a typo in this change description.


…
> +++ b/security/apparmor/audit.c
…
> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>  	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
>  				     GFP_KERNEL, true, false);
>  	if (IS_ERR(rule->label)) {
> +		err = rule->label;

How do you think about to define the added local variable in this if branch directly?

+		int err = rule->label;

>  		aa_audit_rule_free(rule);
> -		return PTR_ERR(rule->label);
> +		return PTR_ERR(err);
>  	}
>
>  	*vrule = rule;


Regards,
Markus

Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

[John Johansen]

On 10/20/19 7:16 AM, Markus Elfring wrote:
>> … But after this release the the return statement
>> tries to access the label field of the rule which results in
>> use-after-free. Before releaseing the rule, copy errNo and return it
>> after releasing rule.
> 
Navid thanks for finding this, and Markus thanks for the review

> Please avoid a duplicate word and a typo in this change description.
> My preference would be a v2 version of the patch with the small clean-ups
that Markus has pointed out.

If I don't see a v2 this week I can pull this one in and do the revisions
myself adding a little fix-up note.

> 
> …
>> +++ b/security/apparmor/audit.c
> …
>> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>>  	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
>>  				     GFP_KERNEL, true, false);
>>  	if (IS_ERR(rule->label)) {
>> +		err = rule->label;
> 
> How do you think about to define the added local variable in this if branch directly?
> 
> +		int err = rule->label;
> 

yes, since err isn't defined or in use else where this would be preferable

>>  		aa_audit_rule_free(rule);
>> -		return PTR_ERR(rule->label);
>> +		return PTR_ERR(err);
>>  	}
>>
>>  	*vrule = rule;
> 
> 
> Regards,
> Markus
> 

[PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

[Navid Emamdoost]

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v2:
	-- Fix typo in description
	-- move err definition inside the if statement.

 security/apparmor/audit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..334065302fb6 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
+		int err = rule->label;
 		aa_audit_rule_free(rule);
-		return PTR_ERR(rule->label);
+		return PTR_ERR(err);
 	}
 
 	*vrule = rule;
-- 
2.17.1

Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

[Tyler Hicks]

On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> In the implementation of aa_audit_rule_init(), when aa_label_parse()
> fails the allocated memory for rule is released using
> aa_audit_rule_free(). But after this release, the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releasing the rule, copy errNo and return it
> after release.
> 
> Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")

Ugh! I'm not sure what I was thinking when I authored that patch. :/

> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> ---
> Changes in v2:
> 	-- Fix typo in description
> 	-- move err definition inside the if statement.
> 
>  security/apparmor/audit.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> index 5a98661a8b46..334065302fb6 100644
> --- a/security/apparmor/audit.c
> +++ b/security/apparmor/audit.c
> @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>  	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
>  				     GFP_KERNEL, true, false);
>  	if (IS_ERR(rule->label)) {
> +		int err = rule->label;

Since rule->label is a pointer, I'd like to see this:

 int err = PTR_ERR(rule->label);

>  		aa_audit_rule_free(rule);
> -		return PTR_ERR(rule->label);
> +		return PTR_ERR(err);

This line would change to:

 return err;


Tyler

>  	}
>  
>  	*vrule = rule;
> -- 
> 2.17.1
> 

[PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init

[Navid Emamdoost]

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v3:
	-- applied Tyler Hicks recommendation on err initialization.

 security/apparmor/audit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..597732503815 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
+		int err = PTR_ERR(rule->label);
 		aa_audit_rule_free(rule);
-		return PTR_ERR(rule->label);
+		return err;
 	}
 
 	*vrule = rule;
-- 
2.17.1

Re: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init

[Tyler Hicks]

On 2019-10-21 11:05:31, Navid Emamdoost wrote:
> In the implementation of aa_audit_rule_init(), when aa_label_parse()
> fails the allocated memory for rule is released using
> aa_audit_rule_free(). But after this release, the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releasing the rule, copy errNo and return it
> after release.
> 
> Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>

Reviewed-by: Tyler Hicks <tyhicks@canonical.com>

Thanks!

Tyler

> ---
> Changes in v3:
> 	-- applied Tyler Hicks recommendation on err initialization.
> 
>  security/apparmor/audit.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> index 5a98661a8b46..597732503815 100644
> --- a/security/apparmor/audit.c
> +++ b/security/apparmor/audit.c
> @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>  	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
>  				     GFP_KERNEL, true, false);
>  	if (IS_ERR(rule->label)) {
> +		int err = PTR_ERR(rule->label);
>  		aa_audit_rule_free(rule);
> -		return PTR_ERR(rule->label);
> +		return err;
>  	}
>  
>  	*vrule = rule;
> -- 
> 2.17.1
> 

Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

[Navid Emamdoost]

On Mon, Oct 21, 2019 at 10:45 AM Tyler Hicks <tyhicks@canonical.com> wrote:
>
> On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> > In the implementation of aa_audit_rule_init(), when aa_label_parse()
> > fails the allocated memory for rule is released using
> > aa_audit_rule_free(). But after this release, the return statement
> > tries to access the label field of the rule which results in
> > use-after-free. Before releasing the rule, copy errNo and return it
> > after release.
> >
> > Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
>
> Ugh! I'm not sure what I was thinking when I authored that patch. :/
>
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> > Changes in v2:
> >       -- Fix typo in description
> >       -- move err definition inside the if statement.
> >
> >  security/apparmor/audit.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> > index 5a98661a8b46..334065302fb6 100644
> > --- a/security/apparmor/audit.c
> > +++ b/security/apparmor/audit.c
> > @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >       rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >                                    GFP_KERNEL, true, false);
> >       if (IS_ERR(rule->label)) {
> > +             int err = rule->label;
>
> Since rule->label is a pointer, I'd like to see this:
>
>  int err = PTR_ERR(rule->label);
>
> >               aa_audit_rule_free(rule);
> > -             return PTR_ERR(rule->label);
> > +             return PTR_ERR(err);
>
> This line would change to:
>
>  return err;
>
Tyler, I made the changes and sent v3.

>
> Tyler
>
> >       }
> >
> >       *vrule = rule;
> > --
> > 2.17.1
> >



-- 
Navid.

Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 3231 bytes --]

Hi Navid,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on security/next-testing]
[cannot apply to v5.4-rc4 next-20191023]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]

url:    https://github.com/0day-ci/linux/commits/Navid-Emamdoost/apparmor-Fix-use-after-free-in-aa_audit_rule_init/20191024-123239
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-testing
config: nds32-allyesconfig (attached as .config)
compiler: nds32le-linux-gcc (GCC) 8.1.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=8.1.0 make.cross ARCH=nds32 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   security/apparmor/audit.c: In function 'aa_audit_rule_init':
>> security/apparmor/audit.c:200:13: warning: initialization of 'int' from 'struct aa_label *' makes integer from pointer without a cast [-Wint-conversion]
      int err = rule->label;
                ^~~~
   security/apparmor/audit.c:202:18: warning: passing argument 1 of 'PTR_ERR' makes pointer from integer without a cast [-Wint-conversion]
      return PTR_ERR(err);
                     ^~~
   In file included from include/linux/rwsem.h:18,
                    from include/linux/key.h:18,
                    from include/linux/cred.h:13,
                    from include/linux/sched/signal.h:10,
                    from include/linux/ptrace.h:7,
                    from include/linux/audit.h:13,
                    from security/apparmor/audit.c:11:
   include/linux/err.h:29:61: note: expected 'const void *' but argument is of type 'int'
    static inline long __must_check PTR_ERR(__force const void *ptr)
                                                    ~~~~~~~~~~~~^~~

vim +200 security/apparmor/audit.c

   177	
   178	int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
   179	{
   180		struct aa_audit_rule *rule;
   181	
   182		switch (field) {
   183		case AUDIT_SUBJ_ROLE:
   184			if (op != Audit_equal && op != Audit_not_equal)
   185				return -EINVAL;
   186			break;
   187		default:
   188			return -EINVAL;
   189		}
   190	
   191		rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
   192	
   193		if (!rule)
   194			return -ENOMEM;
   195	
   196		/* Currently rules are treated as coming from the root ns */
   197		rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
   198					     GFP_KERNEL, true, false);
   199		if (IS_ERR(rule->label)) {
 > 200			int err = rule->label;
   201			aa_audit_rule_free(rule);
   202			return PTR_ERR(err);
   203		}
   204	
   205		*vrule = rule;
   206		return 0;
   207	}
   208	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 52456 bytes --]

Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 3170 bytes --]

Hi Navid,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on security/next-testing]
[cannot apply to v5.4-rc4 next-20191023]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]

url:    https://github.com/0day-ci/linux/commits/Navid-Emamdoost/apparmor-Fix-use-after-free-in-aa_audit_rule_init/20191024-123239
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-testing
config: ia64-allmodconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 7.4.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=7.4.0 make.cross ARCH=ia64 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   security/apparmor/audit.c: In function 'aa_audit_rule_init':
>> security/apparmor/audit.c:200:13: warning: initialization makes integer from pointer without a cast [-Wint-conversion]
      int err = rule->label;
                ^~~~
>> security/apparmor/audit.c:202:18: warning: passing argument 1 of 'PTR_ERR' makes pointer from integer without a cast [-Wint-conversion]
      return PTR_ERR(err);
                     ^~~
   In file included from include/linux/rwsem.h:18:0,
                    from include/linux/key.h:18,
                    from include/linux/cred.h:13,
                    from include/linux/sched/signal.h:10,
                    from include/linux/ptrace.h:7,
                    from include/linux/audit.h:13,
                    from security/apparmor/audit.c:11:
   include/linux/err.h:29:33: note: expected 'const void *' but argument is of type 'int'
    static inline long __must_check PTR_ERR(__force const void *ptr)
                                    ^~~~~~~

vim +200 security/apparmor/audit.c

   177	
   178	int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
   179	{
   180		struct aa_audit_rule *rule;
   181	
   182		switch (field) {
   183		case AUDIT_SUBJ_ROLE:
   184			if (op != Audit_equal && op != Audit_not_equal)
   185				return -EINVAL;
   186			break;
   187		default:
   188			return -EINVAL;
   189		}
   190	
   191		rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
   192	
   193		if (!rule)
   194			return -ENOMEM;
   195	
   196		/* Currently rules are treated as coming from the root ns */
   197		rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
   198					     GFP_KERNEL, true, false);
   199		if (IS_ERR(rule->label)) {
 > 200			int err = rule->label;
   201			aa_audit_rule_free(rule);
 > 202			return PTR_ERR(err);
   203		}
   204	
   205		*vrule = rule;
   206		return 0;
   207	}
   208	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 54117 bytes --]

Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

[Navid Emamdoost]

On Sun, Oct 20, 2019 at 1:51 PM John Johansen
<john.johansen@canonical.com> wrote:
>
> On 10/20/19 7:16 AM, Markus Elfring wrote:
> >> … But after this release the the return statement
> >> tries to access the label field of the rule which results in
> >> use-after-free. Before releaseing the rule, copy errNo and return it
> >> after releasing rule.
> >
> Navid thanks for finding this, and Markus thanks for the review
>
> > Please avoid a duplicate word and a typo in this change description.
> > My preference would be a v2 version of the patch with the small clean-ups
> that Markus has pointed out.

John and Markus, I updated and submitted v2.

>
> If I don't see a v2 this week I can pull this one in and do the revisions
> myself adding a little fix-up note.
>
> >
> > …
> >> +++ b/security/apparmor/audit.c
> > …
> >> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >>      rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >>                                   GFP_KERNEL, true, false);
> >>      if (IS_ERR(rule->label)) {
> >> +            err = rule->label;
> >
> > How do you think about to define the added local variable in this if branch directly?
> >
> > +             int err = rule->label;
> >
>
> yes, since err isn't defined or in use else where this would be preferable
>
> >>              aa_audit_rule_free(rule);
> >> -            return PTR_ERR(rule->label);
> >> +            return PTR_ERR(err);
> >>      }
> >>
> >>      *vrule = rule;
> >
> >
> > Regards,
> > Markus
> >
>


-- 
Thanks,
Navid.