Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4444801ybg;
        Mon, 21 Oct 2019 09:06:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyMH03iZ82sDOqxmZw/D3Ltv1BH8Szzxqge6QPmi6WflMn4mKYtHYGPnKXsqikmdULOu/Av
X-Received: by 2002:a17:906:f0d2:: with SMTP id dk18mr23110591ejb.281.1571674009234;
        Mon, 21 Oct 2019 09:06:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571674009; cv=none;
        d=google.com; s=arc-20160816;
        b=kVJuCsbJohQcwSboQmQC91jgdYBBhVRqosL+n3jlFyKQ5yX7jRkOowU+4vFsbalzRZ
         JDOz5/tRLjncMntj9H8MBoBQ7FUIacuRC3dy4FiiNv1EK+ctj7C98c0W2CijQEbtGvEh
         ygV358kc5oBa7hAR+vs56EP/dz6C1nBBIrxdNI5eklMn68p/ddfGA4/bikMrk4vrDJ9+
         OipzcCr/1oquO74n8ND8klhl9M9PJobtriHM57TtUqm7BCZ8QqNQ/ctAn6adLv5N6es3
         mPWOrfixutqMHyhvNQ68vNrs7kqZ57CoQtz+hPGCV8xWJ9pGno6kL1zfptKgoO+pDTf3
         gMyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=;
        b=nUbNWT91Lkc4uoX0aAec1V81HaCvuQPm0w0zATsnHdIn3UnduHtZ/ya0aSfsE7Af1d
         s6x2mi/O4+VjivTQqZt6PaeZmmL5h8CPeGi32uNE0qZaJJoEZUOMqQj7+nSX1Q9rI2ar
         Z6VK3CUQFhxs1wOJDhH1kk/D1vKRYJT2wHZr/n0u3KkdvA17yMFidDT9tNUDI+JAh2VY
         wcbQmA05L5ffGE2WsEHvwOr1JdcxE0cFn7i7FBI3Gs2wd/iAM7varH+56cAvyQ7AUUlQ
         KuIe4RTCKYTm9bTI+06yv8qt95dixJHEuWieq8/6XCS+Y4d46GTNM5hLJ9I1tTQnd60D
         COvg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=El1z6SHT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m5si8658584ejr.417.2019.10.21.09.06.17;
        Mon, 21 Oct 2019 09:06:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=El1z6SHT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729082AbfJUQFw (ORCPT <rfc822;nishadkamdar@gmail.com>
        + 99 others); Mon, 21 Oct 2019 12:05:52 -0400
Received: from mail-il1-f196.google.com ([209.85.166.196]:42780 "EHLO
        mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726289AbfJUQFw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Oct 2019 12:05:52 -0400
Received: by mail-il1-f196.google.com with SMTP id o16so4425646ilq.9;
        Mon, 21 Oct 2019 09:05:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=;
        b=El1z6SHTX7CqiaLgncFAg/FvJ1ExE/Im2uEY3oUmCkZF5hwFGBPBCmNjKk6PTUha23
         KEPoJBnSq7ZW+6tqenfQL/J/zIwFtJIZ+YA0kjV6XqFEfwUOUxFJK5+HvXosbRl9hjCi
         DauRXVF/sa4FufQZmYsUkaw6+ZgF915p7bQTj9klNgAHViC6q8yiiMxtj7Y0JGoEKWko
         YOxQhpaPKYrTiWyrfHTzUG1+pqJE2LXVFjwqOFCGm7D7ummtUomWGRlNxCc9HYmy95TV
         4VlTypk1b4QE0EOQdkNQV3zPgPkI+XFQLYYQbSoCnPTWjk/bKgp6DDbUK/jQRDTicKvz
         N6mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=+9Fw9C3VNmrkj4O0SxMaQ6+MpbqTvqoB6rYX9UMgB/Q=;
        b=aK6PF4842SNgYr2bMiiCLM+OupPfVV4f0FO3sQwzBCmJ0FBxWsx5mli0KsoyioOSK8
         BvsmK8JbL4ksB+Mvg9en+H5UNQCOAqmALmAtbENzj6+2/0TB8yc9yI7S7A46VN5+PARf
         KvHlMlSh1dz0qD9XXXIslAtWnuIhhRR05QZnHFe3WI2hOgUvSJQP5VDkjKJYHIoz6fJM
         kqnlEFZVF/mHeZv+PAa84qLA1mSC3uzqyOVsWmjG9ocjw8eisYvjPsRO8FTmpZwDKhhH
         gv0FtD7qqa5bY5oaK/+3NiBdMmcjCFTBr2vw4aEODG2cSW5Ts6fb3gXtgbVv9yLRAoWK
         6d8Q==
X-Gm-Message-State: APjAAAXIZahFJizZyxzktTNsNKrSOBxsx+ttCHzEWT5e2sGI+8Db8w6Z
        JLVdfNZy6VqD3f6+Lr7eHLA=
X-Received: by 2002:a92:6f08:: with SMTP id k8mr25825599ilc.57.1571673949954;
        Mon, 21 Oct 2019 09:05:49 -0700 (PDT)
Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54])
        by smtp.googlemail.com with ESMTPSA id l7sm589694ilq.57.2019.10.21.09.05.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 21 Oct 2019 09:05:48 -0700 (PDT)
From:   Navid Emamdoost <navid.emamdoost@gmail.com>
To:     tyhicks@canonical.com
Cc:     emamd001@umn.edu, smccaman@umn.edu, kjlu@umn.edu,
        Navid Emamdoost <navid.emamdoost@gmail.com>,
        John Johansen <john.johansen@canonical.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3] apparmor: Fix use-after-free in aa_audit_rule_init
Date:   Mon, 21 Oct 2019 11:05:31 -0500
Message-Id: <20191021160532.7719-1-navid.emamdoost@gmail.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191021154533.GB12140@elm>
References: <20191021154533.GB12140@elm>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
Changes in v3:
	-- applied Tyler Hicks recommendation on err initialization.

 security/apparmor/audit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..597732503815 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
+		int err = PTR_ERR(rule->label);
 		aa_audit_rule_free(rule);
-		return PTR_ERR(rule->label);
+		return err;
 	}
 
 	*vrule = rule;
-- 
2.17.1