Patch "apparmor: Fix memory leak in unpack_profile()" has been added to the 6.7-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 22 Jan 2024 18:00:33 -0500

This is a note to let you know that I've just added the patch titled

    apparmor: Fix memory leak in unpack_profile()

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     apparmor-fix-memory-leak-in-unpack_profile.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ea2e4b38057d5ff36f63627ecbf34c77b153864a
Author: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Date:   Fri Jan 5 10:01:26 2024 +0800

    apparmor: Fix memory leak in unpack_profile()
    
    [ Upstream commit 8ead196be219adade3bd0d4115cc9b8506643121 ]
    
    The aa_put_pdb(rules->file) should be called when rules->file is
    reassigned, otherwise there may be a memory leak.
    
    This was found via kmemleak:
    
    unreferenced object 0xffff986c17056600 (size 192):
      comm "apparmor_parser", pid 875, jiffies 4294893488
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 89 14 04 6c 98 ff ff  ............l...
        00 00 8c 11 6c 98 ff ff bc 0c 00 00 00 00 00 00  ....l...........
      backtrace (crc e28c80c4):
        [<ffffffffba25087f>] kmemleak_alloc+0x4f/0x90
        [<ffffffffb95ecd42>] kmalloc_trace+0x2d2/0x340
        [<ffffffffb98a7b3d>] aa_alloc_pdb+0x4d/0x90
        [<ffffffffb98ab3b8>] unpack_pdb+0x48/0x660
        [<ffffffffb98ac073>] unpack_profile+0x693/0x1090
        [<ffffffffb98acf5a>] aa_unpack+0x10a/0x6e0
        [<ffffffffb98a93e3>] aa_replace_profiles+0xa3/0x1210
        [<ffffffffb989a183>] policy_update+0x163/0x2a0
        [<ffffffffb989a381>] profile_replace+0xb1/0x130
        [<ffffffffb966cb64>] vfs_write+0xd4/0x3d0
        [<ffffffffb966d05b>] ksys_write+0x6b/0xf0
        [<ffffffffb966d10e>] __x64_sys_write+0x1e/0x30
        [<ffffffffba242316>] do_syscall_64+0x76/0x120
        [<ffffffffba4000e5>] entry_SYSCALL_64_after_hwframe+0x6c/0x74
    
    So add aa_put_pdb(rules->file) to fix it when rules->file is reassigned.
    
    Fixes: 98b824ff8984 ("apparmor: refcount the pdb")
    Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
    Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index dbf7d96257ad..5e578ef0ddff 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1025,8 +1025,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		}
 	} else if (rules->policy->dfa &&
 		   rules->policy->start[AA_CLASS_FILE]) {
+		aa_put_pdb(rules->file);
 		rules->file = aa_get_pdb(rules->policy);
 	} else {
+		aa_put_pdb(rules->file);
 		rules->file = aa_get_pdb(nullpdb);
 	}
 	error = -EPROTO;







