Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4446644ybg;
        Mon, 21 Oct 2019 09:08:13 -0700 (PDT)
X-Google-Smtp-Source: APXvYqywJWgB1HqbJTG4H33NO+Xh+8FIR8Jc1n+TTXtkwg8r55K00nIsg0F9HpKZGEKHEGM/no/Y
X-Received: by 2002:a05:6402:149a:: with SMTP id e26mr25643423edv.123.1571674093671;
        Mon, 21 Oct 2019 09:08:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571674093; cv=none;
        d=google.com; s=arc-20160816;
        b=oLplpwNKybsqx0jDHxaksm49L+Jv3H/Srh/dyJO8pcejIliI14J1Di1uRzfk39HZ+b
         7QQdKs/kgLgsV0ajc34SHzzYv9PUBojji/gYdwTZlZgisv6tpErYP1h0aTLr2W2GimDl
         PDFcg25Jq8Jec/6eva3UGt/Iz18B/40h88VeLQ/vLsniCWI4fFeWTA/AR+ecyLqT79uv
         bZHRvsM4ioZ96kTYFY7lqA2kTPYlCRB78iG28LDzjSd7ruoHUtrWSbp/TTaByGySBPWi
         uQm2pM+RAcPaQDjeg+WpYre4/KlSRv4mmHYkraVfazbEe06haAiBhgkR+Nu/uOJ3kY6T
         Zktw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=l4jp1v93/2FgQkHywpHT6u/4Wamz/29ge5dqIlchhaE=;
        b=iGeQ1sr1gv5seiz9fwGdxE5HjoOEn4tADRohN/VA7nSyFFfuw81vQe+2O4SBdTBMpL
         zCwHNdDOYcNcz6L/RN1a+wnm5p+ZUaUlkwf4F0wM16yJAMH92Gj2QX6/55TBx/QL4Epu
         LcjG/e6KVX8BlYejTGYB3f+ovdKOqAFFvb0NAlYYQs8mvvY6o2Dq1eMZK5lnV6Wfxg4p
         UwjSrDavPta5ffMxQvIe9Cl9dtHqlonTNxQdGGCG0rcy3MQbameCMSt9YcYiDsaKdmUh
         8ewvKhhzVSRkKdOGokZeqz07qKm5YKOsBfVuyYq5SBNNkZ0cHxPzZw6d0Enj4NLbBwNF
         NjrQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=stHJW1+p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id dt26si196026ejb.38.2019.10.21.09.07.38;
        Mon, 21 Oct 2019 09:08:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=stHJW1+p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729746AbfJUQG6 (ORCPT <rfc822;nishadkamdar@gmail.com>
        + 99 others); Mon, 21 Oct 2019 12:06:58 -0400
Received: from mail-il1-f194.google.com ([209.85.166.194]:34195 "EHLO
        mail-il1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726672AbfJUQG6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Oct 2019 12:06:58 -0400
Received: by mail-il1-f194.google.com with SMTP id c12so12548906ilm.1;
        Mon, 21 Oct 2019 09:06:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=l4jp1v93/2FgQkHywpHT6u/4Wamz/29ge5dqIlchhaE=;
        b=stHJW1+p6Va080aV9Fi+Gwh8Gzw08WrV6ddm4xTzyiRuCgMv83nknJG/2laRPfq3ua
         uXUqNJSt9jQd9wB2srqvzRVXZAh/rB50qqOqY8s4jFZJSCa/GKxydMI05hO2WbfvUrMC
         KkR3P8brBlhohd5S1f5SzFjW5cMyuT+Z50tvxjMCn2rVMrtUX0GT1W8VXSmI1ueGKGp9
         pFEXVUCzPBHc2qHhpCschbHLEkp8VvYoNbWZWNKtRfzqzN3k/5lWTOPGtoXUyS9yovnf
         NADpWYrpgFGyFQtviTh+GKAl7mcagZMomWORSMgMwp9D2cpbEJ4hTaPKhq9ognlYcFyR
         QRlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=l4jp1v93/2FgQkHywpHT6u/4Wamz/29ge5dqIlchhaE=;
        b=tQeJjXwgPdTJKNsPgDRv04IWy7xQkroZGDkewd/nFYnzKSldHudCR5BgXMJBIeNigV
         ed+wXW8LuP0tB+jJoiTi8hpeZx7f+L2z+sryKvtCk12l5OtbsEI7emoeAfEiqQmGWtIC
         pDYg0V0Ahx47HBhuUa8ChI4Ay/IrT6bViCMoo1uqpPdB1D969lrN2S+UWYh+vkTAI0oq
         xVhJ5cKjbvfh7GYF3QMROtp7QZO2C1G8mwuUjhq99zcPOHI7/buYvJK0N6x4eWCNS1Zy
         msHs0v47vtduyDT061S7xwcDQXI3szuuQz2YkUK4fNp7RHBSLsYBe0TDUdDIo5Ve7h9C
         ir2A==
X-Gm-Message-State: APjAAAVZlhHKYcRiFzENF6KGuGxDxXje+wbBMyXvAMkPg5DN2Skot73t
        D6oDjz9/z7fZNf67gcbRT5FIDSw1aqPymOJ4YP8=
X-Received: by 2002:a92:4144:: with SMTP id o65mr26124347ila.172.1571674017046;
 Mon, 21 Oct 2019 09:06:57 -0700 (PDT)
MIME-Version: 1.0
References: <57b61298-cbeb-f0ff-c6ba-b8f64d5d0287@canonical.com>
 <20191021152348.3906-1-navid.emamdoost@gmail.com> <20191021154533.GB12140@elm>
In-Reply-To: <20191021154533.GB12140@elm>
From:   Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Mon, 21 Oct 2019 11:06:46 -0500
Message-ID: <CAEkB2ETn48r_BaXZ+q0X8-h=zi31C0MN5b51rYuciStTvLoceA@mail.gmail.com>
Subject: Re: [PATCH v2] apparmor: Fix use-after-free in aa_audit_rule_init
To:     Tyler Hicks <tyhicks@canonical.com>
Cc:     John Johansen <john.johansen@canonical.com>,
        Navid Emamdoost <emamd001@umn.edu>,
        Stephen McCamant <smccaman@umn.edu>, Kangjie Lu <kjlu@umn.edu>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 21, 2019 at 10:45 AM Tyler Hicks <tyhicks@canonical.com> wrote:
>
> On 2019-10-21 10:23:47, Navid Emamdoost wrote:
> > In the implementation of aa_audit_rule_init(), when aa_label_parse()
> > fails the allocated memory for rule is released using
> > aa_audit_rule_free(). But after this release, the return statement
> > tries to access the label field of the rule which results in
> > use-after-free. Before releasing the rule, copy errNo and return it
> > after release.
> >
> > Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
>
> Ugh! I'm not sure what I was thinking when I authored that patch. :/
>
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> > Changes in v2:
> >       -- Fix typo in description
> >       -- move err definition inside the if statement.
> >
> >  security/apparmor/audit.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
> > index 5a98661a8b46..334065302fb6 100644
> > --- a/security/apparmor/audit.c
> > +++ b/security/apparmor/audit.c
> > @@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >       rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
> >                                    GFP_KERNEL, true, false);
> >       if (IS_ERR(rule->label)) {
> > +             int err = rule->label;
>
> Since rule->label is a pointer, I'd like to see this:
>
>  int err = PTR_ERR(rule->label);
>
> >               aa_audit_rule_free(rule);
> > -             return PTR_ERR(rule->label);
> > +             return PTR_ERR(err);
>
> This line would change to:
>
>  return err;
>
Tyler, I made the changes and sent v3.

>
> Tyler
>
> >       }
> >
> >       *vrule = rule;
> > --
> > 2.17.1
> >



-- 
Navid.