Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp259909ybg;
        Thu, 17 Oct 2019 22:35:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz79uE3odXvSk1Nvy52jYNagxltTcX1/PNg/6UYyBHOXu2ljV1I+/2vQpR++LelAdICTfd9
X-Received: by 2002:a05:6402:21eb:: with SMTP id ce11mr7611831edb.182.1571376947625;
        Thu, 17 Oct 2019 22:35:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571376947; cv=none;
        d=google.com; s=arc-20160816;
        b=LCL2hjpP8L6o7zbes2dco/n0UdRTLSI+VkaYiEyg63Twk8VQ5+N3V8srS8jyBT1uHU
         q2xbMgAf8QnpCHHaUT8Jlak0W2OvOt+MQeK09eh7HxqabcqzYhlBdj2tlTZSkDlm8NCC
         B5SKKza5xjKs8M5Ajpq4p1tcnk/Pe9ubZOsP8DudJg0N7OlO07HYLdLWVqny+G2msT/Z
         5VF5XWOUTvbD3QdHMTn581Awk0346ddU0cV4NdhWS40zFH7PyGE3SoGOMDZsMsRm8fl3
         inanE80ximcI6bP+d2TG7ZctaxufbnMbdsrl+4W4WRxw+gjmxwmdyQTOf5scN8eDY2Le
         7BkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:message-id:date:subject:cc:from
         :dkim-signature;
        bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=;
        b=ueiiSlcS8TQNPEV8mjKQBLztmUpNpuZojn9j04oUupFmWbTjAPG6AOqm6nkkFwy1yE
         3IeH2+AApCVfoJ9lMmb45KIkL6O5dSo2GzonuJfdHyf1n4G5j1a+H0eWOQi9vrAWJ3Hg
         1LkmAQ3o52lfMAsjIbnfVoX94CUITNsxeyC7QCIxnRhKHSp4067gwmHMswiB9e5rbhPZ
         dggm1j0GBptHqn5y6KXAUr3rn9Ao+8sEUCE12Jxaj6zKv1uAn3MuvQODK5bq9swAhjsO
         RwGST2U2wa94mcKZYPPvbWwuehNX2Qt8zyWeX98rCCg3iolMBuzf+Qiq2UyJYPcb8wi5
         ylCQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=e18t10U4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u22si2681914ejm.363.2019.10.17.22.35.23;
        Thu, 17 Oct 2019 22:35:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=e18t10U4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730299AbfJQBqj (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Wed, 16 Oct 2019 21:46:39 -0400
Received: from mail-il1-f195.google.com ([209.85.166.195]:43614 "EHLO
        mail-il1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727387AbfJQBqj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Oct 2019 21:46:39 -0400
Received: by mail-il1-f195.google.com with SMTP id t5so420609ilh.10;
        Wed, 16 Oct 2019 18:46:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=;
        b=e18t10U4nw9RnbPkZAOn3y7deMeJ+ww9/LymVula1j/TQgPm8NheGWHHwSh4f3AI53
         QTjaan4HF7ZUS4sqFWT7JB+dqwwQ8SUoQXL4Fce1xAHW9TO5Iwx+giUj0y1jqEqBBenb
         d2bI3yKILEcIk8UcbX+dw2Us9mtXCgMTcpQBGt0XFqPtexa5sCjH/ZxGDvlg94KdfLU+
         kX9kTcHcQJXuaOyrdFORey72399cEkOT+Tl0eSwxFpB6O+HEMuydXB/iNlspoYqvAD4L
         tUE238iVnwa4grrnnrdI1KaHAaoAqB8Q0hqQx1tnobpXlWSwT+85N/y/SA+3QFu7QQB2
         ++8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=C2efsFizgVT25garqduHjyuFt9iWInxP4xT7VjbjnDk=;
        b=VqSkj++DELEL6gtkMGJCeNsLAOwCO+B7FiKhHRQUo5oFdqLnAB8QML6tu2aY2xPo9B
         bKXypyEAYxxVdVEbvMlaYuUYLeAeNu/XIAXvLWVelklQjci+GnNmc+vtZey4biQ57hPB
         D7jMlzi8rnL4A/A82dcWmwOz7X2hEgdfEtHWwiVSAZ7P7k7N8ybVusc//b8eCLnAIF/R
         Tgue1+dXI9ZpErSrzdMd6ok9PEm4xFGYWXAlBMgAR/am+jP4bQozNfyb9Dblpl5KsHQi
         XgzDzIV/5Qt3Q4So/e16lAYtvNX0Ni3AbEvr81OMm9EBYtNoZDi+7euBVWNCCvIVNZmA
         G4Lg==
X-Gm-Message-State: APjAAAUkMpgNmjfZpEwEGln3X77U9CsTLiRITYXolk3zaCQ+vr+lgV7C
        zrygoOe4CwZDpCFxh5iDUKQ=
X-Received: by 2002:a92:4144:: with SMTP id o65mr1068182ila.206.1571276796906;
        Wed, 16 Oct 2019 18:46:36 -0700 (PDT)
Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54])
        by smtp.googlemail.com with ESMTPSA id h17sm254867ilq.66.2019.10.16.18.46.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Oct 2019 18:46:35 -0700 (PDT)
From:   Navid Emamdoost <navid.emamdoost@gmail.com>
Cc:     emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu,
        Navid Emamdoost <navid.emamdoost@gmail.com>,
        John Johansen <john.johansen@canonical.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] apparmor: Fix use-after-free in aa_audit_rule_init
Date:   Wed, 16 Oct 2019 20:46:18 -0500
Message-Id: <20191017014619.26708-1-navid.emamdoost@gmail.com>
X-Mailer: git-send-email 2.17.1
To:     unlisted-recipients:; (no To-header on input)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release the the return statement
tries to access the label field of the rule which results in
use-after-free. Before releaseing the rule, copy errNo and return it
after releasing rule.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 security/apparmor/audit.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..48c15fb0aafe 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -178,6 +178,7 @@ void aa_audit_rule_free(void *vrule)
 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 {
 	struct aa_audit_rule *rule;
+	int err;
 
 	switch (field) {
 	case AUDIT_SUBJ_ROLE:
@@ -197,8 +198,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
+		err = rule->label;
 		aa_audit_rule_free(rule);
-		return PTR_ERR(rule->label);
+		return PTR_ERR(err);
 	}
 
 	*vrule = rule;
-- 
2.17.1