Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4444801ybg; Mon, 21 Oct 2019 09:06:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqyMH03iZ82sDOqxmZw/D3Ltv1BH8Szzxqge6QPmi6WflMn4mKYtHYGPnKXsqikmdULOu/Av X-Received: by 2002:a17:906:f0d2:: with SMTP id dk18mr23110591ejb.281.1571674009234; Mon, 21 Oct 2019 09:06:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571674009; cv=none; d=google.com; s=arc-20160816; b=kVJuCsbJohQcwSboQmQC91jgdYBBhVRqosL+n3jlFyKQ5yX7jRkOowU+4vFsbalzRZ JDOz5/tRLjncMntj9H8MBoBQ7FUIacuRC3dy4FiiNv1EK+ctj7C98c0W2CijQEbtGvEh ygV358kc5oBa7hAR+vs56EP/dz6C1nBBIrxdNI5eklMn68p/ddfGA4/bikMrk4vrDJ9+ OipzcCr/1oquO74n8ND8klhl9M9PJobtriHM57TtUqm7BCZ8QqNQ/ctAn6adLv5N6es3 mPWOrfixutqMHyhvNQ68vNrs7kqZ57CoQtz+hPGCV8xWJ9pGno6kL1zfptKgoO+pDTf3 gMyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=; b=nUbNWT91Lkc4uoX0aAec1V81HaCvuQPm0w0zATsnHdIn3UnduHtZ/ya0aSfsE7Af1d s6x2mi/O4+VjivTQqZt6PaeZmmL5h8CPeGi32uNE0qZaJJoEZUOMqQj7+nSX1Q9rI2ar Z6VK3CUQFhxs1wOJDhH1kk/D1vKRYJT2wHZr/n0u3KkdvA17yMFidDT9tNUDI+JAh2VY wcbQmA05L5ffGE2WsEHvwOr1JdcxE0cFn7i7FBI3Gs2wd/iAM7varH+56cAvyQ7AUUlQ KuIe4RTCKYTm9bTI+06yv8qt95dixJHEuWieq8/6XCS+Y4d46GTNM5hLJ9I1tTQnd60D COvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=El1z6SHT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m5si8658584ejr.417.2019.10.21.09.06.17; Mon, 21 Oct 2019 09:06:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=El1z6SHT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729082AbfJUQFw (ORCPT + 99 others); Mon, 21 Oct 2019 12:05:52 -0400 Received: from mail-il1-f196.google.com ([209.85.166.196]:42780 "EHLO mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726289AbfJUQFw (ORCPT ); Mon, 21 Oct 2019 12:05:52 -0400 Received: by mail-il1-f196.google.com with SMTP id o16so4425646ilq.9; Mon, 21 Oct 2019 09:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=; b=El1z6SHTX7CqiaLgncFAg/FvJ1ExE/Im2uEY3oUmCkZF5hwFGBPBCmNjKk6PTUha23 KEPoJBnSq7ZW+6tqenfQL/J/zIwFtJIZ+YA0kjV6XqFEfwUOUxFJK5+HvXosbRl9hjCi DauRXVF/sa4FufQZmYsUkaw6+ZgF915p7bQTj9klNgAHViC6q8yiiMxtj7Y0JGoEKWko YOxQhpaPKYrTiWyrfHTzUG1+pqJE2LXVFjwqOFCGm7D7ummtUomWGRlNxCc9HYmy95TV 4VlTypk1b4QE0EOQdkNQV3zPgPkI+XFQLYYQbSoCnPTWjk/bKgp6DDbUK/jQRDTicKvz N6mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=; b=aK6PF4842SNgYr2bMiiCLM+OupPfVV4f0FO3sQwzBCmJ0FBxWsx5mli0KsoyioOSK8 BvsmK8JbL4ksB+Mvg9en+H5UNQCOAqmALmAtbENzj6+2/0TB8yc9yI7S7A46VN5+PARf KvHlMlSh1dz0qD9XXXIslAtWnuIhhRR05QZnHFe3WI2hOgUvSJQP5VDkjKJYHIoz6fJM kqnlEFZVF/mHeZv+PAa84qLA1mSC3uzqyOVsWmjG9ocjw8eisYvjPsRO8FTmpZwDKhhH gv0FtD7qqa5bY5oaK/+3NiBdMmcjCFTBr2vw4aEODG2cSW5Ts6fb3gXtgbVv9yLRAoWK 6d8Q== X-Gm-Message-State: APjAAAXIZahFJizZyxzktTNsNKrSOBxsx+ttCHzEWT5e2sGI+8Db8w6Z JLVdfNZy6VqD3f6+Lr7eHLA= X-Received: by 2002:a92:6f08:: with SMTP id k8mr25825599ilc.57.1571673949954; Mon, 21 Oct 2019 09:05:49 -0700 (PDT) Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54]) by smtp.googlemail.com with ESMTPSA id l7sm589694ilq.57.2019.10.21.09.05.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 09:05:48 -0700 (PDT) From: Navid Emamdoost To: tyhicks@canonical.com Cc: emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu, Navid Emamdoost , John Johansen , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init Date: Mon, 21 Oct 2019 11:05:31 -0500 Message-Id: <20191021160532.7719-1-navid.emamdoost@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191021154533.GB12140@elm> References: <20191021154533.GB12140@elm> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the implementation of aa_audit_rule_init(), when aa_label_parse() fails the allocated memory for rule is released using aa_audit_rule_free(). But after this release, the return statement tries to access the label field of the rule which results in use-after-free. Before releasing the rule, copy errNo and return it after release. Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path") Signed-off-by: Navid Emamdoost --- Changes in v3: -- applied Tyler Hicks recommendation on err initialization. security/apparmor/audit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 5a98661a8b46..597732503815 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, GFP_KERNEL, true, false); if (IS_ERR(rule->label)) { + int err = PTR_ERR(rule->label); aa_audit_rule_free(rule); - return PTR_ERR(rule->label); + return err; } *vrule = rule; -- 2.17.1