* [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init
@ 2019-10-17 1:46 Navid Emamdoost
2019-10-20 14:16 ` Markus Elfring
0 siblings, 1 reply; 11+ messages in thread
From: Navid Emamdoost @ 2019-10-17 1:46 UTC (permalink / raw)
Cc: emamd001, smccaman, kjlu, Navid Emamdoost, John Johansen,
James Morris, Serge E. Hallyn, linux-security-module,
linux-kernel
In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release the the return statement
tries to access the label field of the rule which results in
use-after-free. Before releaseing the rule, copy errNo and return it
after releasing rule.
Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
security/apparmor/audit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..48c15fb0aafe 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -178,6 +178,7 @@ void aa_audit_rule_free(void *vrule)
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
{
struct aa_audit_rule *rule;
+ int err;
switch (field) {
case AUDIT_SUBJ_ROLE:
@@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
GFP_KERNEL, true, false);
if (IS_ERR(rule->label)) {
+ err = rule->label;
aa_audit_rule_free(rule);
- return PTR_ERR(rule->label);
+ return PTR_ERR(err);
}
*vrule = rule;
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-17 1:46 [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init Navid Emamdoost
@ 2019-10-20 14:16 ` Markus Elfring
2019-10-20 18:49 ` John Johansen
0 siblings, 1 reply; 11+ messages in thread
From: Markus Elfring @ 2019-10-20 14:16 UTC (permalink / raw)
To: Navid Emamdoost, linux-security-module
Cc: kernel-janitors, linux-kernel, Navid Emamdoost, Kangjie Lu,
Stephen McCamant, James Morris, John Johansen, Serge E. Hallyn,
Tyler Hicks
> … But after this release the the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releaseing the rule, copy errNo and return it
> after releasing rule.
Please avoid a duplicate word and a typo in this change description.
…
> +++ b/security/apparmor/audit.c
…
> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> GFP_KERNEL, true, false);
> if (IS_ERR(rule->label)) {
> + err = rule->label;
How do you think about to define the added local variable in this if branch directly?
+ int err = rule->label;
> aa_audit_rule_free(rule);
> - return PTR_ERR(rule->label);
> + return PTR_ERR(err);
> }
>
> *vrule = rule;
Regards,
Markus
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-20 14:16 ` Markus Elfring
@ 2019-10-20 18:49 ` John Johansen
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:25 ` [PATCH] " Navid Emamdoost
0 siblings, 2 replies; 11+ messages in thread
From: John Johansen @ 2019-10-20 18:49 UTC (permalink / raw)
To: Markus Elfring, Navid Emamdoost, linux-security-module
Cc: kernel-janitors, linux-kernel, Navid Emamdoost, Kangjie Lu,
Stephen McCamant, James Morris, Serge E. Hallyn, Tyler Hicks
On 10/20/19 7:16 AM, Markus Elfring wrote:
>> … But after this release the the return statement
>> tries to access the label field of the rule which results in
>> use-after-free. Before releaseing the rule, copy errNo and return it
>> after releasing rule.
>
Navid thanks for finding this, and Markus thanks for the review
> Please avoid a duplicate word and a typo in this change description.
> My preference would be a v2 version of the patch with the small clean-ups
that Markus has pointed out.
If I don't see a v2 this week I can pull this one in and do the revisions
myself adding a little fix-up note.
>
> …
>> +++ b/security/apparmor/audit.c
> …
>> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
>> GFP_KERNEL, true, false);
>> if (IS_ERR(rule->label)) {
>> + err = rule->label;
>
> How do you think about to define the added local variable in this if branch directly?
>
> + int err = rule->label;
>
yes, since err isn't defined or in use else where this would be preferable
>> aa_audit_rule_free(rule);
>> - return PTR_ERR(rule->label);
>> + return PTR_ERR(err);
>> }
>>
>> *vrule = rule;
>
>
> Regards,
> Markus
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-20 18:49 ` John Johansen
@ 2019-10-21 15:23 ` Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
` (2 more replies)
2019-10-21 15:25 ` [PATCH] " Navid Emamdoost
1 sibling, 3 replies; 11+ messages in thread
From: Navid Emamdoost @ 2019-10-21 15:23 UTC (permalink / raw)
To: john.johansen
Cc: emamd001, smccaman, kjlu, Navid Emamdoost, James Morris,
Serge E. Hallyn, linux-security-module, linux-kernel
In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.
Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v2:
-- Fix typo in description
-- move err definition inside the if statement.
security/apparmor/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..334065302fb6 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
GFP_KERNEL, true, false);
if (IS_ERR(rule->label)) {
+ int err = rule->label;
aa_audit_rule_free(rule);
- return PTR_ERR(rule->label);
+ return PTR_ERR(err);
}
*vrule = rule;
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-20 18:49 ` John Johansen
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
@ 2019-10-21 15:25 ` Navid Emamdoost
1 sibling, 0 replies; 11+ messages in thread
From: Navid Emamdoost @ 2019-10-21 15:25 UTC (permalink / raw)
To: John Johansen
Cc: Markus Elfring, linux-security-module, kernel-janitors, LKML,
Navid Emamdoost, Kangjie Lu, Stephen McCamant, James Morris,
Serge E. Hallyn, Tyler Hicks
On Sun, Oct 20, 2019 at 1:51 PM John Johansen
<john.johansen@canonical.com> wrote:
>
> On 10/20/19 7:16 AM, Markus Elfring wrote:
> >> … But after this release the the return statement
> >> tries to access the label field of the rule which results in
> >> use-after-free. Before releaseing the rule, copy errNo and return it
> >> after releasing rule.
> >
> Navid thanks for finding this, and Markus thanks for the review
>
> > Please avoid a duplicate word and a typo in this change description.
> > My preference would be a v2 version of the patch with the small clean-ups
> that Markus has pointed out.
John and Markus, I updated and submitted v2.
>
> If I don't see a v2 this week I can pull this one in and do the revisions
> myself adding a little fix-up note.
>
> >
> > …
> >> +++ b/security/apparmor/audit.c
> > …
> >> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >> GFP_KERNEL, true, false);
> >> if (IS_ERR(rule->label)) {
> >> + err = rule->label;
> >
> > How do you think about to define the added local variable in this if branch directly?
> >
> > + int err = rule->label;
> >
>
> yes, since err isn't defined or in use else where this would be preferable
>
> >> aa_audit_rule_free(rule);
> >> - return PTR_ERR(rule->label);
> >> + return PTR_ERR(err);
> >> }
> >>
> >> *vrule = rule;
> >
> >
> > Regards,
> > Markus
> >
>
--
Thanks,
Navid.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
@ 2019-10-21 15:45 ` Tyler Hicks
2019-10-21 16:05 ` [PATCH v3] " Navid Emamdoost
2019-10-21 16:06 ` [PATCH v2] " Navid Emamdoost
2019-10-24 6:20 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2 siblings, 2 replies; 11+ messages in thread
From: Tyler Hicks @ 2019-10-21 15:45 UTC (permalink / raw)
To: Navid Emamdoost
Cc: john.johansen, emamd001, smccaman, kjlu, James Morris,
Serge E. Hallyn, linux-security-module, linux-kernel
On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> In the implementation of aa_audit_rule_init(), when aa_label_parse()
> fails the allocated memory for rule is released using
> aa_audit_rule_free(). But after this release, the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releasing the rule, copy errNo and return it
> after release.
>
> Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Ugh! I'm not sure what I was thinking when I authored that patch. :/
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> ---
> Changes in v2:
> -- Fix typo in description
> -- move err definition inside the if statement.
>
> security/apparmor/audit.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> index 5a98661a8b46..334065302fb6 100644
> --- a/security/apparmor/audit.c
> +++ b/security/apparmor/audit.c
> @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> GFP_KERNEL, true, false);
> if (IS_ERR(rule->label)) {
> + int err = rule->label;
Since rule->label is a pointer, I'd like to see this:
int err = PTR_ERR(rule->label);
> aa_audit_rule_free(rule);
> - return PTR_ERR(rule->label);
> + return PTR_ERR(err);
This line would change to:
return err;
Tyler
> }
>
> *vrule = rule;
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 15:45 ` Tyler Hicks
@ 2019-10-21 16:05 ` Navid Emamdoost
2019-10-21 16:08 ` Tyler Hicks
2019-10-21 16:06 ` [PATCH v2] " Navid Emamdoost
1 sibling, 1 reply; 11+ messages in thread
From: Navid Emamdoost @ 2019-10-21 16:05 UTC (permalink / raw)
To: tyhicks
Cc: emamd001, smccaman, kjlu, Navid Emamdoost, John Johansen,
James Morris, Serge E. Hallyn, linux-security-module,
linux-kernel
In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.
Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v3:
-- applied Tyler Hicks recommendation on err initialization.
security/apparmor/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..597732503815 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
GFP_KERNEL, true, false);
if (IS_ERR(rule->label)) {
+ int err = PTR_ERR(rule->label);
aa_audit_rule_free(rule);
- return PTR_ERR(rule->label);
+ return err;
}
*vrule = rule;
--
2.17.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 15:45 ` Tyler Hicks
2019-10-21 16:05 ` [PATCH v3] " Navid Emamdoost
@ 2019-10-21 16:06 ` Navid Emamdoost
1 sibling, 0 replies; 11+ messages in thread
From: Navid Emamdoost @ 2019-10-21 16:06 UTC (permalink / raw)
To: Tyler Hicks
Cc: John Johansen, Navid Emamdoost, Stephen McCamant, Kangjie Lu,
James Morris, Serge E. Hallyn, linux-security-module, LKML
On Mon, Oct 21, 2019 at 10:45 AM Tyler Hicks <tyhicks@canonical.com> wrote:
>
> On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> > In the implementation of aa_audit_rule_init(), when aa_label_parse()
> > fails the allocated memory for rule is released using
> > aa_audit_rule_free(). But after this release, the return statement
> > tries to access the label field of the rule which results in
> > use-after-free. Before releasing the rule, copy errNo and return it
> > after release.
> >
> > Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
>
> Ugh! I'm not sure what I was thinking when I authored that patch. :/
>
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> > Changes in v2:
> > -- Fix typo in description
> > -- move err definition inside the if statement.
> >
> > security/apparmor/audit.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> > index 5a98661a8b46..334065302fb6 100644
> > --- a/security/apparmor/audit.c
> > +++ b/security/apparmor/audit.c
> > @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> > rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> > GFP_KERNEL, true, false);
> > if (IS_ERR(rule->label)) {
> > + int err = rule->label;
>
> Since rule->label is a pointer, I'd like to see this:
>
> int err = PTR_ERR(rule->label);
>
> > aa_audit_rule_free(rule);
> > - return PTR_ERR(rule->label);
> > + return PTR_ERR(err);
>
> This line would change to:
>
> return err;
>
Tyler, I made the changes and sent v3.
>
> Tyler
>
> > }
> >
> > *vrule = rule;
> > --
> > 2.17.1
> >
--
Navid.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 16:05 ` [PATCH v3] " Navid Emamdoost
@ 2019-10-21 16:08 ` Tyler Hicks
0 siblings, 0 replies; 11+ messages in thread
From: Tyler Hicks @ 2019-10-21 16:08 UTC (permalink / raw)
To: Navid Emamdoost
Cc: emamd001, smccaman, kjlu, John Johansen, James Morris,
Serge E. Hallyn, linux-security-module, linux-kernel
On 2019-10-21 11:05:31, Navid Emamdoost wrote:
> In the implementation of aa_audit_rule_init(), when aa_label_parse()
> fails the allocated memory for rule is released using
> aa_audit_rule_free(). But after this release, the return statement
> tries to access the label field of the rule which results in
> use-after-free. Before releasing the rule, copy errNo and return it
> after release.
>
> Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Thanks!
Tyler
> ---
> Changes in v3:
> -- applied Tyler Hicks recommendation on err initialization.
>
> security/apparmor/audit.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> index 5a98661a8b46..597732503815 100644
> --- a/security/apparmor/audit.c
> +++ b/security/apparmor/audit.c
> @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> GFP_KERNEL, true, false);
> if (IS_ERR(rule->label)) {
> + int err = PTR_ERR(rule->label);
> aa_audit_rule_free(rule);
> - return PTR_ERR(rule->label);
> + return err;
> }
>
> *vrule = rule;
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
@ 2019-10-24 6:20 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2 siblings, 0 replies; 11+ messages in thread
From: kbuild test robot @ 2019-10-24 6:20 UTC (permalink / raw)
To: Navid Emamdoost
Cc: kbuild-all, john.johansen, emamd001, smccaman, kjlu,
Navid Emamdoost, James Morris, Serge E. Hallyn,
linux-security-module, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 3231 bytes --]
Hi Navid,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on security/next-testing]
[cannot apply to v5.4-rc4 next-20191023]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Navid-Emamdoost/apparmor-Fix-use-after-free-in-aa_audit_rule_init/20191024-123239
base: https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-testing
config: nds32-allyesconfig (attached as .config)
compiler: nds32le-linux-gcc (GCC) 8.1.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=8.1.0 make.cross ARCH=nds32
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
security/apparmor/audit.c: In function 'aa_audit_rule_init':
>> security/apparmor/audit.c:200:13: warning: initialization of 'int' from 'struct aa_label *' makes integer from pointer without a cast [-Wint-conversion]
int err = rule->label;
^~~~
security/apparmor/audit.c:202:18: warning: passing argument 1 of 'PTR_ERR' makes pointer from integer without a cast [-Wint-conversion]
return PTR_ERR(err);
^~~
In file included from include/linux/rwsem.h:18,
from include/linux/key.h:18,
from include/linux/cred.h:13,
from include/linux/sched/signal.h:10,
from include/linux/ptrace.h:7,
from include/linux/audit.h:13,
from security/apparmor/audit.c:11:
include/linux/err.h:29:61: note: expected 'const void *' but argument is of type 'int'
static inline long __must_check PTR_ERR(__force const void *ptr)
~~~~~~~~~~~~^~~
vim +200 security/apparmor/audit.c
177
178 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
179 {
180 struct aa_audit_rule *rule;
181
182 switch (field) {
183 case AUDIT_SUBJ_ROLE:
184 if (op != Audit_equal && op != Audit_not_equal)
185 return -EINVAL;
186 break;
187 default:
188 return -EINVAL;
189 }
190
191 rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
192
193 if (!rule)
194 return -ENOMEM;
195
196 /* Currently rules are treated as coming from the root ns */
197 rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
198 GFP_KERNEL, true, false);
199 if (IS_ERR(rule->label)) {
> 200 int err = rule->label;
201 aa_audit_rule_free(rule);
202 return PTR_ERR(err);
203 }
204
205 *vrule = rule;
206 return 0;
207 }
208
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 52456 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
2019-10-24 6:20 ` kbuild test robot
@ 2019-10-24 8:48 ` kbuild test robot
2 siblings, 0 replies; 11+ messages in thread
From: kbuild test robot @ 2019-10-24 8:48 UTC (permalink / raw)
To: Navid Emamdoost
Cc: kbuild-all, john.johansen, emamd001, smccaman, kjlu,
Navid Emamdoost, James Morris, Serge E. Hallyn,
linux-security-module, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 3170 bytes --]
Hi Navid,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on security/next-testing]
[cannot apply to v5.4-rc4 next-20191023]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Navid-Emamdoost/apparmor-Fix-use-after-free-in-aa_audit_rule_init/20191024-123239
base: https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-testing
config: ia64-allmodconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 7.4.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=7.4.0 make.cross ARCH=ia64
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
security/apparmor/audit.c: In function 'aa_audit_rule_init':
>> security/apparmor/audit.c:200:13: warning: initialization makes integer from pointer without a cast [-Wint-conversion]
int err = rule->label;
^~~~
>> security/apparmor/audit.c:202:18: warning: passing argument 1 of 'PTR_ERR' makes pointer from integer without a cast [-Wint-conversion]
return PTR_ERR(err);
^~~
In file included from include/linux/rwsem.h:18:0,
from include/linux/key.h:18,
from include/linux/cred.h:13,
from include/linux/sched/signal.h:10,
from include/linux/ptrace.h:7,
from include/linux/audit.h:13,
from security/apparmor/audit.c:11:
include/linux/err.h:29:33: note: expected 'const void *' but argument is of type 'int'
static inline long __must_check PTR_ERR(__force const void *ptr)
^~~~~~~
vim +200 security/apparmor/audit.c
177
178 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
179 {
180 struct aa_audit_rule *rule;
181
182 switch (field) {
183 case AUDIT_SUBJ_ROLE:
184 if (op != Audit_equal && op != Audit_not_equal)
185 return -EINVAL;
186 break;
187 default:
188 return -EINVAL;
189 }
190
191 rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
192
193 if (!rule)
194 return -ENOMEM;
195
196 /* Currently rules are treated as coming from the root ns */
197 rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
198 GFP_KERNEL, true, false);
199 if (IS_ERR(rule->label)) {
> 200 int err = rule->label;
201 aa_audit_rule_free(rule);
> 202 return PTR_ERR(err);
203 }
204
205 *vrule = rule;
206 return 0;
207 }
208
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 54117 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-10-24 8:48 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-17 1:46 [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init Navid Emamdoost
2019-10-20 14:16 ` Markus Elfring
2019-10-20 18:49 ` John Johansen
2019-10-21 15:23 ` [PATCH v2] " Navid Emamdoost
2019-10-21 15:45 ` Tyler Hicks
2019-10-21 16:05 ` [PATCH v3] " Navid Emamdoost
2019-10-21 16:08 ` Tyler Hicks
2019-10-21 16:06 ` [PATCH v2] " Navid Emamdoost
2019-10-24 6:20 ` kbuild test robot
2019-10-24 8:48 ` kbuild test robot
2019-10-21 15:25 ` [PATCH] " Navid Emamdoost
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).