On Fri, Feb 23, 2024 at 4:07 PM Paul Moore paul@paul-moore.com wrote:
On Fri, Feb 23, 2024 at 2:06 PM Mickaël Salaün mic@digikod.net wrote:
aa_getprocattr() may not initialize the value's pointer in some case. As for proc_pid_attr_read(), initialize this pointer to NULL in apparmor_getselfattr() to avoid an UAF in the kfree() call.
Cc: Casey Schaufler casey@schaufler-ca.com Cc: John Johansen john.johansen@canonical.com Cc: Paul Moore paul@paul-moore.com Cc: stable@vger.kernel.org Fixes: 223981db9baf ("AppArmor: Add selfattr hooks") Signed-off-by: Mickaël Salaün mic@digikod.net
security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
If you like John, I can send this up to Linus with the related SELinux fix, I would just need an ACK from you.
Reviewed-by: Paul Moore paul@paul-moore.com
This patch looks good to me, and while we've still got at least two (maybe three?) more weeks before v6.8 is tagged, I think it would be good to get this up to Linus ASAP. I'll hold off for another day, but if we don't see any comment from John I'll go ahead and merge this and send it up to Linus with the SELinux fix; I'm sure John wouldn't be happy if v6.8 went out the door without this fix.
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 98e1150bee9d..9a3dcaafb5b1 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -784,7 +784,7 @@ static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx, int error = -ENOENT; struct aa_task_ctx *ctx = task_ctx(current); struct aa_label *label = NULL;
char *value;
char *value = NULL; switch (attr) { case LSM_ATTR_CURRENT:-- 2.43.0