lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Oct 2019 11:06:46 -0500
From:   Navid Emamdoost <navid.emamdoost@...il.com>
To:     Tyler Hicks <tyhicks@...onical.com>
Cc:     John Johansen <john.johansen@...onical.com>,
        Navid Emamdoost <emamd001@....edu>,
        Stephen McCamant <smccaman@....edu>, Kangjie Lu <kjlu@....edu>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        linux-security-module@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init

On Mon, Oct 21, 2019 at 10:45 AM Tyler Hicks <tyhicks@...onical.com> wrote:
>
> On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> > In the implementation of aa_audit_rule_init(), when aa_label_parse()
> > fails the allocated memory for rule is released using
> > aa_audit_rule_free(). But after this release, the return statement
> > tries to access the label field of the rule which results in
> > use-after-free. Before releasing the rule, copy errNo and return it
> > after release.
> >
> > Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
>
> Ugh! I'm not sure what I was thinking when I authored that patch. :/
>
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
> > ---
> > Changes in v2:
> >       -- Fix typo in description
> >       -- move err definition inside the if statement.
> >
> >  security/apparmor/audit.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> > index 5a98661a8b46..334065302fb6 100644
> > --- a/security/apparmor/audit.c
> > +++ b/security/apparmor/audit.c
> > @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >       rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >                                    GFP_KERNEL, true, false);
> >       if (IS_ERR(rule->label)) {
> > +             int err = rule->label;
>
> Since rule->label is a pointer, I'd like to see this:
>
>  int err = PTR_ERR(rule->label);
>
> >               aa_audit_rule_free(rule);
> > -             return PTR_ERR(rule->label);
> > +             return PTR_ERR(err);
>
> This line would change to:
>
>  return err;
>
Tyler, I made the changes and sent v3.

>
> Tyler
>
> >       }
> >
> >       *vrule = rule;
> > --
> > 2.17.1
> >



-- 
Navid.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ