Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1567387ybb; Sun, 29 Mar 2020 08:00:31 -0700 (PDT) X-Google-Smtp-Source: ADFU+vv9eTHirDblFj2hZKMzrwJJi6wBsnTm6tqHpK+FQgBkzB+d4BI3ZEK0h5NJ5PpcjPDUDV7S X-Received: by 2002:a9d:5191:: with SMTP id y17mr6210816otg.267.1585494031171; Sun, 29 Mar 2020 08:00:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585494031; cv=none; d=google.com; s=arc-20160816; b=g8AzToXfcQoeQSMFZWjoAvj1b+EyKCgXjT43lvESOHqJLQI8vZMGeIqh9xDcvqKI5N JHa+yJ3uIKgTw0q1v57HTo8hb+Kuln/jAD5PlA37b4STXyDKk6B3mrBXNDTSn+HGbisK fbwSf8Ic/Ju2LlmsO9+tNslFi/vD4qhUAEtxaPy/SlmGBzQ3yla4pTyuVEbrF2XMJvCR oZLaqs2BysZQAcDjNI0zJvv02hDiGgh9msKdOf0gj2NeQHhLSAtqqGdX+9pI1E8IzaMh 4YihgUyIF+DF7wH5FkGv6EVZumwlmVdUekRsfAaaTKHF2y4+JF0fn64LTWmzeqxzq08T 8ZAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=jX3oYU8UlsiOGFks12ohExk3faGczAjmI/m2e4R/sHU=; b=zTkr/s2eoFHD08p1Qa5lxj91kN5vE9euqIrohw9QYqA5SOLtL+R8JmmROZ0Ke24+ZX fysZU18aAdbYC9isY7WRYfSu0NV5CU8LHSUsgTbqvAwmk11X+rGLl1XBeNy44y3o64Q+ ruYxvXMgnWrzxmCMxjKf1hhvku/B4q1KB0Pjhtatg1g7l7zfuIVnmIhHqfmxPHvxK7DR dvCMhyv/goc2DJwceai471TlCRt/7FNMFNcJMFcnSYBenrWywgqg9Fehn9VJOJkl2gfr PpHS0dwhaS3qb6XQQkcXnIBTw3Uty8QHV6FT95VfoyNpSMq+L9/CVKmcZh699SU9HcVs VW3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k18si3777248otf.285.2020.03.29.08.00.18; Sun, 29 Mar 2020 08:00:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728190AbgC2O7U (ORCPT + 99 others); Sun, 29 Mar 2020 10:59:20 -0400 Received: from mail.fudan.edu.cn ([202.120.224.73]:57656 "EHLO fudan.edu.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727488AbgC2O7T (ORCPT ); Sun, 29 Mar 2020 10:59:19 -0400 Received: from localhost.localdomain (unknown [120.229.255.87]) by app2 (Coremail) with SMTP id XQUFCgBXXUWxt4BeeJuFAA--.1822S3; Sun, 29 Mar 2020 22:59:00 +0800 (CST) From: Xiyu Yang To: John Johansen , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Cc: xiyuyang19@fudan.edu.cn, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan Subject: [PATCH] apparmor: fix potential label refcnt leak in aa_change_profile Date: Sun, 29 Mar 2020 22:57:41 +0800 Message-Id: <1585493861-9867-1-git-send-email-xiyuyang19@fudan.edu.cn> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: XQUFCgBXXUWxt4BeeJuFAA--.1822S3 X-Coremail-Antispam: 1UD129KBjvJXoW7KryfGF47WF4fCr45WrW5trb_yoW8GrWDpF 47KF1UGFs5tFy2kF4Dta13urWak397Xr1Yva9xu3yUZrW5JayDXw1a9r17WryrurykAwsx tFWayF9Y9w1UC3JanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkK14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC 0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr 1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE rcIFxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14 v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkG c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI 0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_Jr0_ Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbHa0D UUUUU== X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/ Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org aa_change_profile() invokes aa_get_current_label(), which returns a reference of the current task's label. According to the comment of aa_get_current_label(), the returned reference must be put with aa_put_label(). However, when the original object pointed by "label" becomes unreachable because aa_change_profile() returns or a new object is assigned to "label", reference count increased by aa_get_current_label() is not decreased, causing a refcnt leak. Fix this by calling aa_put_label() before the original object pointed by "label" becomes unreachable. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan --- security/apparmor/domain.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 6ceb74e0f789..b99145ae34c0 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -1328,6 +1328,7 @@ int aa_change_profile(const char *fqname, int flags) ctx->nnp = aa_get_label(label); if (!fqname || !*fqname) { + aa_put_label(label); AA_DEBUG("no profile name"); return -EINVAL; } @@ -1346,6 +1347,7 @@ int aa_change_profile(const char *fqname, int flags) op = OP_CHANGE_PROFILE; } + aa_put_label(label); label = aa_get_current_label(); if (*fqname == '&') { -- 2.7.4