lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <eaf76a45-3217-47c2-bf69-bdd765062e69@canonical.com>
Date: Thu, 4 Jan 2024 01:41:04 -0800
From: John Johansen <john.johansen@...onical.com>
To: Fedor Pchelkin <pchelkin@...ras.ru>
Cc: Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
 "Serge E. Hallyn" <serge@...lyn.com>, apparmor@...ts.ubuntu.com,
 linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
 Alexey Khoroshilov <khoroshilov@...ras.ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH] apparmor: fix possible memory leak in unpack_trans_table

On 12/4/23 10:19, Fedor Pchelkin wrote:
> If we fail to unpack the transition table then the table elements which
> have been already allocated are not freed on error path.
> 
> unreferenced object 0xffff88802539e000 (size 128):
>    comm "apparmor_parser", pid 903, jiffies 4294914938 (age 35.085s)
>    hex dump (first 32 bytes):
>      20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74 72 69   some nasty stri
>      6e 67 20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74  ng some nasty st
>    backtrace:
>      [<ffffffff81ddb312>] __kmem_cache_alloc_node+0x1e2/0x2d0
>      [<ffffffff81c47194>] __kmalloc_node_track_caller+0x54/0x170
>      [<ffffffff81c225b9>] kmemdup+0x29/0x60
>      [<ffffffff83e1ee65>] aa_unpack_strdup+0xe5/0x1b0
>      [<ffffffff83e20808>] unpack_pdb+0xeb8/0x2700
>      [<ffffffff83e23567>] unpack_profile+0x1507/0x4a30
>      [<ffffffff83e27bfa>] aa_unpack+0x36a/0x1560
>      [<ffffffff83e194c3>] aa_replace_profiles+0x213/0x33c0
>      [<ffffffff83de9461>] policy_update+0x261/0x370
>      [<ffffffff83de978e>] profile_replace+0x20e/0x2a0
>      [<ffffffff81eac8bf>] vfs_write+0x2af/0xe00
>      [<ffffffff81eaddd6>] ksys_write+0x126/0x250
>      [<ffffffff88f34fb6>] do_syscall_64+0x46/0xf0
>      [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
> 
> Call aa_free_str_table() on error path as was done before the blamed
> commit. It implements all necessary checks, frees str_table if it is
> available and nullifies the pointers.
> 
> Found by Linux Verification Center (linuxtesting.org).
> 
> Fixes: a0792e2ceddc ("apparmor: make transition table unpack generic so it can be reused")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>

thanks, I have pulled this into my tree
Acked-by: John Johansen <john.johansen@...onical.com>

> ---
>   security/apparmor/lib.c           | 1 +
>   security/apparmor/policy_unpack.c | 7 +++----
>   2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index 4c198d273f09..cd569fbbfe36 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -41,6 +41,7 @@ void aa_free_str_table(struct aa_str_table *t)
>   			kfree_sensitive(t->table[i]);
>   		kfree_sensitive(t->table);
>   		t->table = NULL;
> +		t->size = 0;
>   	}
>   }
>   
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index fc21952aca6b..887010692538 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -478,6 +478,8 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
>   		if (!table)
>   			goto fail;
>   
> +		strs->table = table;
> +		strs->size = size;
>   		for (i = 0; i < size; i++) {
>   			char *str;
>   			int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL);
> @@ -520,14 +522,11 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_str_table *strs)
>   			goto fail;
>   		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
>   			goto fail;
> -
> -		strs->table = table;
> -		strs->size = size;
>   	}
>   	return true;
>   
>   fail:
> -	kfree_sensitive(table);
> +	aa_free_str_table(strs);
>   	e->pos = saved_pos;
>   	return false;
>   }


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ