[apparmor] [PATCH] apparmor: fix null pointer deref in find_attach when xmatch is null
Ryan Lee
ryan.lee at canonical.com
Wed Aug 21 18:12:16 UTC 2024
After further analysis, the root cause turned out to be the xmatch not
being set up properly when allocating a null profile for learning in
complain mode. Thus, I am withdrawing the above patch and instead
attaching a new patch that does this setup in aa_alloc_null.
Ryan
On Mon, Aug 19, 2024 at 1:05 PM Ryan Lee <ryan.lee at canonical.com> wrote:
>
> find_attach loops over profile entries and first checks for a DFA, falling
> back onto a strcmp otherwise. However, the check if (attach->xmatch->dfa)
> did not account for the possibility that (attach->xmatch) could be null.
> This occured with a sequence of profile replacements that resulted in a
> kernel BUG print due to the null pointer dereference.
>
> To avoid this issue, first check that (attach->xmatch) is not null.
>
> The one-line patch is attached to the email.
>
> Ryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-allocate-xmatch-for-nullpdf-inside-aa_alloc.patch
Type: text/x-patch
Size: 1229 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20240821/934de619/attachment.bin>
More information about the AppArmor
mailing list