On Mon, Oct 21, 2019 at 10:45 AM Tyler Hicks [off-list ref] wrote:

On 2019-10-21 10:23:47, Navid Emamdoost wrote:

quoted

In the implementation of aa_audit_rule_init(), when aa_label_parse()
fails the allocated memory for rule is released using
aa_audit_rule_free(). But after this release, the return statement
tries to access the label field of the rule which results in
use-after-free. Before releasing the rule, copy errNo and return it
after release.

Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")

Ugh! I'm not sure what I was thinking when I authored that patch. :/

quoted

Signed-off-by: Navid Emamdoost <redacted>
---
Changes in v2:
      -- Fix typo in description
      -- move err definition inside the if statement.

 security/apparmor/audit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 5a98661a8b46..334065302fb6 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c

@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
      rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
                                   GFP_KERNEL, true, false);
      if (IS_ERR(rule->label)) {
+             int err = rule->label;

Since rule->label is a pointer, I'd like to see this:

 int err = PTR_ERR(rule->label);

quoted

              aa_audit_rule_free(rule);
-             return PTR_ERR(rule->label);
+             return PTR_ERR(err);

This line would change to:

 return err;

Tyler, I made the changes and sent v3.

Tyler

quoted

      }

      *vrule = rule;
--
2.17.1

-- 
Navid.