Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp259909ybg; Thu, 17 Oct 2019 22:35:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqz79uE3odXvSk1Nvy52jYNagxltTcX1/PNg/6UYyBHOXu2ljV1I+/2vQpR++LelAdICTfd9 X-Received: by 2002:a05:6402:21eb:: with SMTP id ce11mr7611831edb.182.1571376947625; Thu, 17 Oct 2019 22:35:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571376947; cv=none; d=google.com; s=arc-20160816; b=LCL2hjpP8L6o7zbes2dco/n0UdRTLSI+VkaYiEyg63Twk8VQ5+N3V8srS8jyBT1uHU q2xbMgAf8QnpCHHaUT8Jlak0W2OvOt+MQeK09eh7HxqabcqzYhlBdj2tlTZSkDlm8NCC B5SKKza5xjKs8M5Ajpq4p1tcnk/Pe9ubZOsP8DudJg0N7OlO07HYLdLWVqny+G2msT/Z 5VF5XWOUTvbD3QdHMTn581Awk0346ddU0cV4NdhWS40zFH7PyGE3SoGOMDZsMsRm8fl3 inanE80ximcI6bP+d2TG7ZctaxufbnMbdsrl+4W4WRxw+gjmxwmdyQTOf5scN8eDY2Le 7BkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:message-id:date:subject:cc:from :dkim-signature; bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=; b=ueiiSlcS8TQNPEV8mjKQBLztmUpNpuZojn9j04oUupFmWbTjAPG6AOqm6nkkFwy1yE 3IeH2+AApCVfoJ9lMmb45KIkL6O5dSo2GzonuJfdHyf1n4G5j1a+H0eWOQi9vrAWJ3Hg 1LkmAQ3o52lfMAsjIbnfVoX94CUITNsxeyC7QCIxnRhKHSp4067gwmHMswiB9e5rbhPZ dggm1j0GBptHqn5y6KXAUr3rn9Ao+8sEUCE12Jxaj6zKv1uAn3MuvQODK5bq9swAhjsO RwGST2U2wa94mcKZYPPvbWwuehNX2Qt8zyWeX98rCCg3iolMBuzf+Qiq2UyJYPcb8wi5 ylCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=e18t10U4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u22si2681914ejm.363.2019.10.17.22.35.23; Thu, 17 Oct 2019 22:35:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=e18t10U4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730299AbfJQBqj (ORCPT + 99 others); Wed, 16 Oct 2019 21:46:39 -0400 Received: from mail-il1-f195.google.com ([209.85.166.195]:43614 "EHLO mail-il1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727387AbfJQBqj (ORCPT ); Wed, 16 Oct 2019 21:46:39 -0400 Received: by mail-il1-f195.google.com with SMTP id t5so420609ilh.10; Wed, 16 Oct 2019 18:46:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=; b=e18t10U4nw9RnbPkZAOn3y7deMeJ+ww9/LymVula1j/TQgPm8NheGWHHwSh4f3AI53 QTjaan4HF7ZUS4sqFWT7JB+dqwwQ8SUoQXL4Fce1xAHW9TO5Iwx+giUj0y1jqEqBBenb d2bI3yKILEcIk8UcbX+dw2Us9mtXCgMTcpQBGt0XFqPtexa5sCjH/ZxGDvlg94KdfLU+ kX9kTcHcQJXuaOyrdFORey72399cEkOT+Tl0eSwxFpB6O+HEMuydXB/iNlspoYqvAD4L tUE238iVnwa4grrnnrdI1KaHAaoAqB8Q0hqQx1tnobpXlWSwT+85N/y/SA+3QFu7QQB2 ++8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=; b=VqSkj++DELEL6gtkMGJCeNsLAOwCO+B7FiKhHRQUo5oFdqLnAB8QML6tu2aY2xPo9B bKXypyEAYxxVdVEbvMlaYuUYLeAeNu/XIAXvLWVelklQjci+GnNmc+vtZey4biQ57hPB D7jMlzi8rnL4A/A82dcWmwOz7X2hEgdfEtHWwiVSAZ7P7k7N8ybVusc//b8eCLnAIF/R Tgue1+dXI9ZpErSrzdMd6ok9PEm4xFGYWXAlBMgAR/am+jP4bQozNfyb9Dblpl5KsHQi XgzDzIV/5Qt3Q4So/e16lAYtvNX0Ni3AbEvr81OMm9EBYtNoZDi+7euBVWNCCvIVNZmA G4Lg== X-Gm-Message-State: APjAAAUkMpgNmjfZpEwEGln3X77U9CsTLiRITYXolk3zaCQ+vr+lgV7C zrygoOe4CwZDpCFxh5iDUKQ= X-Received: by 2002:a92:4144:: with SMTP id o65mr1068182ila.206.1571276796906; Wed, 16 Oct 2019 18:46:36 -0700 (PDT) Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54]) by smtp.googlemail.com with ESMTPSA id h17sm254867ilq.66.2019.10.16.18.46.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Oct 2019 18:46:35 -0700 (PDT) From: Navid Emamdoost Cc: emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu, Navid Emamdoost , John Johansen , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init Date: Wed, 16 Oct 2019 20:46:18 -0500 Message-Id: <20191017014619.26708-1-navid.emamdoost@gmail.com> X-Mailer: git-send-email 2.17.1 To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the implementation of aa_audit_rule_init(), when aa_label_parse() fails the allocated memory for rule is released using aa_audit_rule_free(). But after this release the the return statement tries to access the label field of the rule which results in use-after-free. Before releaseing the rule, copy errNo and return it after releasing rule. Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path") Signed-off-by: Navid Emamdoost --- security/apparmor/audit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 5a98661a8b46..48c15fb0aafe 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -178,6 +178,7 @@ void aa_audit_rule_free(void *vrule) int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) { struct aa_audit_rule *rule; + int err; switch (field) { case AUDIT_SUBJ_ROLE: @@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, GFP_KERNEL, true, false); if (IS_ERR(rule->label)) { + err = rule->label; aa_audit_rule_free(rule); - return PTR_ERR(rule->label); + return PTR_ERR(err); } *vrule = rule; -- 2.17.1