Re: [PATCH 2/2] AppArmor: Fix lsm_get_self_attr()
From: Paul Moore <paul@paul-moore.com>
Date: 2024-02-27 22:14:10
Also in:
lkml, stable
On Tue, Feb 27, 2024 at 5:09 PM Paul Moore [off-list ref] wrote:
On Tue, Feb 27, 2024 at 11:01 AM Paul Moore [off-list ref] wrote:quoted
On Mon, Feb 26, 2024 at 2:59 PM Paul Moore [off-list ref] wrote:quoted
On Fri, Feb 23, 2024 at 4:07 PM Paul Moore [off-list ref] wrote:quoted
On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün [off-list ref] wrote:quoted
aa_getprocattr() may not initialize the value's pointer in some case. As for proc_pid_attr_read(), initialize this pointer to NULL in apparmor_getselfattr() to avoid an UAF in the kfree() call. Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Cc: stable@vger.kernel.org Fixes: 223981db9baf ("AppArmor: Add selfattr hooks") Signed-off-by: Mickaël Salaün <mic@digikod.net> --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)If you like John, I can send this up to Linus with the related SELinux fix, I would just need an ACK from you.Reviewed-by: Paul Moore <paul@paul-moore.com> This patch looks good to me, and while we've still got at least two (maybe three?) more weeks before v6.8 is tagged, I think it would be good to get this up to Linus ASAP. I'll hold off for another day, but if we don't see any comment from John I'll go ahead and merge this and send it up to Linus with the SELinux fix; I'm sure John wouldn't be happy if v6.8 went out the door without this fix.I just merged this into lsm/stable-6.8 and once the automated build/test has done it's thing and come back clean I'll send this, along with the associated SELinux fix, up to Linus. Thanks all.In off-list discussions with Mickaël today it was noted that this patch also needs a fixup to the commit description so I've replaced it with the following: "In apparmor_getselfattr() when an invalid AppArmor attribute is requested, or a value hasn't been explicitly set for the requested attribute, the label passed to aa_put_label() is not properly initialized which can cause problems when the pointer value is non-NULL and AppArmor attempts to drop a reference on the bogus label object." I've updated the commit in lsm/stable-6.8 and I'll be sending it to Linus shortly.quoted
John, if this commit is problematic please let me know and I'll send a fix or a revert.
I also just realized that both this patch and the SELinux have the stable kernel marking which shouldn't be necessary as the LSM syscalls are only present in the v6.8-rcX kernels. I'm going to drop the stable tagging, but leave the 'Fixes:' tag of course. -- paul-moore.com