lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Oct 2019 10:25:41 -0500
From:   Navid Emamdoost <navid.emamdoost@...il.com>
To:     John Johansen <john.johansen@...onical.com>
Cc:     Markus Elfring <Markus.Elfring@....de>,
        linux-security-module@...r.kernel.org,
        kernel-janitors@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        Navid Emamdoost <emamd001@....edu>, Kangjie Lu <kjlu@....edu>,
        Stephen McCamant <smccaman@....edu>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Tyler Hicks <tyhicks@...onical.com>
Subject: Re: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init

On Sun, Oct 20, 2019 at 1:51 PM John Johansen
<john.johansen@...onical.com> wrote:
>
> On 10/20/19 7:16 AM, Markus Elfring wrote:
> >> … But after this release the the return statement
> >> tries to access the label field of the rule which results in
> >> use-after-free. Before releaseing the rule, copy errNo and return it
> >> after releasing rule.
> >
> Navid thanks for finding this, and Markus thanks for the review
>
> > Please avoid a duplicate word and a typo in this change description.
> > My preference would be a v2 version of the patch with the small clean-ups
> that Markus has pointed out.

John and Markus, I updated and submitted v2.

>
> If I don't see a v2 this week I can pull this one in and do the revisions
> myself adding a little fix-up note.
>
> >
> > …
> >> +++ b/security/apparmor/audit.c
> > …
> >> @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >>      rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >>                                   GFP_KERNEL, true, false);
> >>      if (IS_ERR(rule->label)) {
> >> +            err = rule->label;
> >
> > How do you think about to define the added local variable in this if branch directly?
> >
> > +             int err = rule->label;
> >
>
> yes, since err isn't defined or in use else where this would be preferable
>
> >>              aa_audit_rule_free(rule);
> >> -            return PTR_ERR(rule->label);
> >> +            return PTR_ERR(err);
> >>      }
> >>
> >>      *vrule = rule;
> >
> >
> > Regards,
> > Markus
> >
>


-- 
Thanks,
Navid.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ