[apparmor] AppArmor Kernel-patch 3.6 in kernel 3.14 // for (p = profile->replacedby; p; )

Jae Suk Park jspark99 at gmail.com
Tue Nov 24 03:44:13 UTC 2015 

I wonder if this patch should be applied or not,to 3.14 kernel (14.04LTS,
Trusty)
/kernel-patches/3.6/0006-apparmor-fix-IRQ-stack-overflow-during-free_profile.patch
=================================
>From 663d5bbe6197bf990721c37ec877ea8ba5840202 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Wed, 24 Oct 2012 06:27:32 -0700
Subject: [PATCH 6/6] apparmor: fix IRQ stack overflow during free_profile

BugLink: http://bugs.launchpad.net/bugs/1056078
=================================
It patches to security/apparmor/policy.c free_profile()
and pointer mismatch in for loop statement in 3.14kernel (Trusty)
   // for (p = profile->replacedby; p; )
p points to aa_profile,but profile->replacedby points to different
structure which has "kref count" element.
===============================
security/apparmor/include/policy.h
struct aa_replacedby {
    struct kref count;
    struct aa_profile __rcu *profile;
};

struct aa_profile {
    struct aa_policy base;
    struct kref count;
    struct rcu_head rcu;
    struct aa_profile __rcu *parent;

    struct aa_namespace *ns;
    struct aa_replacedby *replacedby;
    const char *rename;


security/apparmor/policy.c
void aa_free_profile(struct aa_profile *profile)
{
struct aa_profile *p;


/* put the profile reference for replacedby, but not via
     * put_profile(kref_put).
     * replacedby can form a long chain that can result in cascading
     * frees that blows the stack because kref_put makes a nested fn
     * call (it looks like recursion, with free_profile calling
     * free_profile) for each profile in the chain lp#1056078.
     */
    for (p = profile->replacedby; p; ) {
        if (atomic_dec_and_test(&p->base.count.refcount)) {
            /* no more refs on p, grab its replacedby */
            struct aa_profile *next = p->replacedby;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151124/251feddb/attachment.html>

More information about the AppArmor mailing list