| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jan 2024 01:41:04 -0800
From: John Johansen <john.johansen@...onical.com>
To: Fedor Pchelkin <pchelkin@...ras.ru>
Cc: Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>, apparmor@...ts.ubuntu.com,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH] apparmor: fix possible memory leak in unpack_trans_table
On 12/4/23 10:19, Fedor Pchelkin wrote:
> If we fail to unpack the transition table then the table elements which
> have been already allocated are not freed on error path.
>
> unreferenced object 0xffff88802539e000 (size 128):
> comm "apparmor_parser", pid 903, jiffies 4294914938 (age 35.085s)
> hex dump (first 32 bytes):
> 20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74 72 69 some nasty stri
> 6e 67 20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74 ng some nasty st
> backtrace:
> [<ffffffff81ddb312>] __kmem_cache_alloc_node+0x1e2/0x2d0
> [<ffffffff81c47194>] __kmalloc_node_track_caller+0x54/0x170
> [<ffffffff81c225b9>] kmemdup+0x29/0x60
> [<ffffffff83e1ee65>] aa_unpack_strdup+0xe5/0x1b0
> [<ffffffff83e20808>] unpack_pdb+0xeb8/0x2700
> [<ffffffff83e23567>] unpack_profile+0x1507/0x4a30
> [<ffffffff83e27bfa>] aa_unpack+0x36a/0x1560
> [<ffffffff83e194c3>] aa_replace_profiles+0x213/0x33c0
> [<ffffffff83de9461>] policy_update+0x261/0x370
> [<ffffffff83de978e>] profile_replace+0x20e/0x2a0
> [<ffffffff81eac8bf>] vfs_write+0x2af/0xe00
> [<ffffffff81eaddd6>] ksys_write+0x126/0x250
> [<ffffffff88f34fb6>] do_syscall_64+0x46/0xf0
> [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
> Call aa_free_str_table() on error path as was done before the blamed
> commit. It implements all necessary checks, frees str_table if it is
> available and nullifies the pointers.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: a0792e2ceddc ("apparmor: make transition table unpack generic so it can be reused")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
thanks, I have pulled this into my tree
Acked-by: John Johansen <john.johansen@...onical.com>
> ---
> security/apparmor/lib.c | 1 +
> security/apparmor/policy_unpack.c | 7 +++----
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index 4c198d273f09..cd569fbbfe36 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -41,6 +41,7 @@ void aa_free_str_table(struct aa_str_table *t)
> kfree_sensitive(t->table[i]);
> kfree_sensitive(t->table);
> t->table = NULL;
> + t->size = 0;
> }
> }
>
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index fc21952aca6b..887010692538 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -478,6 +478,8 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
> if (!table)
> goto fail;
>
> + strs->table = table;
> + strs->size = size;
> for (i = 0; i < size; i++) {
> char *str;
> int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL);
> @@ -520,14 +522,11 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
> goto fail;
> if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
> goto fail;
> -
> - strs->table = table;
> - strs->size = size;
> }
> return true;
>
> fail:
> - kfree_sensitive(table);
> + aa_free_str_table(strs);
> e->pos = saved_pos;
> return false;
> }
Powered by blists - more mailing lists