Message ID | 20240105020126.315700-1-cuigaosheng1@huawei.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | apparmor: Fix memory leak in unpack_profile() | expand |
On 1/4/24 18:01, Gaosheng Cui wrote: > The aa_put_pdb(rules->file) should be called when rules->file is > reassigned, otherwise there may be a memory leak. > > This was found via kmemleak: > > unreferenced object 0xffff986c17056600 (size 192): > comm "apparmor_parser", pid 875, jiffies 4294893488 > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 89 14 04 6c 98 ff ff ............l... > 00 00 8c 11 6c 98 ff ff bc 0c 00 00 00 00 00 00 ....l........... > backtrace (crc e28c80c4): > [<ffffffffba25087f>] kmemleak_alloc+0x4f/0x90 > [<ffffffffb95ecd42>] kmalloc_trace+0x2d2/0x340 > [<ffffffffb98a7b3d>] aa_alloc_pdb+0x4d/0x90 > [<ffffffffb98ab3b8>] unpack_pdb+0x48/0x660 > [<ffffffffb98ac073>] unpack_profile+0x693/0x1090 > [<ffffffffb98acf5a>] aa_unpack+0x10a/0x6e0 > [<ffffffffb98a93e3>] aa_replace_profiles+0xa3/0x1210 > [<ffffffffb989a183>] policy_update+0x163/0x2a0 > [<ffffffffb989a381>] profile_replace+0xb1/0x130 > [<ffffffffb966cb64>] vfs_write+0xd4/0x3d0 > [<ffffffffb966d05b>] ksys_write+0x6b/0xf0 > [<ffffffffb966d10e>] __x64_sys_write+0x1e/0x30 > [<ffffffffba242316>] do_syscall_64+0x76/0x120 > [<ffffffffba4000e5>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 > > So add aa_put_pdb(rules->file) to fix it when rules->file is reassigned. > > Fixes: 98b824ff8984 ("apparmor: refcount the pdb") > Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> yep, thanks. I have pulled this into the apparmor tree Acked-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/policy_unpack.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c > index 47ec097d6741..16afe992a724 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -1022,8 +1022,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) > } > } else if (rules->policy->dfa && > rules->policy->start[AA_CLASS_FILE]) { > + aa_put_pdb(rules->file); > rules->file = aa_get_pdb(rules->policy); > } else { > + aa_put_pdb(rules->file); > rules->file = aa_get_pdb(nullpdb); > } > error = -EPROTO;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 47ec097d6741..16afe992a724 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -1022,8 +1022,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } } else if (rules->policy->dfa && rules->policy->start[AA_CLASS_FILE]) { + aa_put_pdb(rules->file); rules->file = aa_get_pdb(rules->policy); } else { + aa_put_pdb(rules->file); rules->file = aa_get_pdb(nullpdb); } error = -EPROTO;
The aa_put_pdb(rules->file) should be called when rules->file is reassigned, otherwise there may be a memory leak. This was found via kmemleak: unreferenced object 0xffff986c17056600 (size 192): comm "apparmor_parser", pid 875, jiffies 4294893488 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 89 14 04 6c 98 ff ff ............l... 00 00 8c 11 6c 98 ff ff bc 0c 00 00 00 00 00 00 ....l........... backtrace (crc e28c80c4): [<ffffffffba25087f>] kmemleak_alloc+0x4f/0x90 [<ffffffffb95ecd42>] kmalloc_trace+0x2d2/0x340 [<ffffffffb98a7b3d>] aa_alloc_pdb+0x4d/0x90 [<ffffffffb98ab3b8>] unpack_pdb+0x48/0x660 [<ffffffffb98ac073>] unpack_profile+0x693/0x1090 [<ffffffffb98acf5a>] aa_unpack+0x10a/0x6e0 [<ffffffffb98a93e3>] aa_replace_profiles+0xa3/0x1210 [<ffffffffb989a183>] policy_update+0x163/0x2a0 [<ffffffffb989a381>] profile_replace+0xb1/0x130 [<ffffffffb966cb64>] vfs_write+0xd4/0x3d0 [<ffffffffb966d05b>] ksys_write+0x6b/0xf0 [<ffffffffb966d10e>] __x64_sys_write+0x1e/0x30 [<ffffffffba242316>] do_syscall_64+0x76/0x120 [<ffffffffba4000e5>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 So add aa_put_pdb(rules->file) to fix it when rules->file is reassigned. Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> --- security/apparmor/policy_unpack.c | 2 ++ 1 file changed, 2 insertions(+)