[apparmor] [PATCH] apparmor: fix null pointer deref in find_attach when xmatch is null
John Johansen
john.johansen at canonical.com
Fri Sep 6 18:32:04 UTC 2024
On 8/22/24 15:53, Ryan Lee wrote:
> I just realized that I forgot to add sign off on my patch, so I'm
> resending it with the Signed-off-by line added.
>
> On Wed, Aug 21, 2024 at 11:12 AM Ryan Lee <ryan.lee at canonical.com> wrote:
>>
>> After further analysis, the root cause turned out to be the xmatch not
>> being set up properly when allocating a null profile for learning in
>> complain mode. Thus, I am withdrawing the above patch and instead
>> attaching a new patch that does this setup in aa_alloc_null.
>>
>> Ryan
>>
>> On Mon, Aug 19, 2024 at 1:05 PM Ryan Lee <ryan.lee at canonical.com> wrote:
>>>
>>> find_attach loops over profile entries and first checks for a DFA, falling
>>> back onto a strcmp otherwise. However, the check if (attach->xmatch->dfa)
>>> did not account for the possibility that (attach->xmatch) could be null.
>>> This occured with a sequence of profile replacements that resulted in a
>>> kernel BUG print due to the null pointer dereference.
>>>
>>> To avoid this issue, first check that (attach->xmatch) is not null.
>>>
>>> The one-line patch is attached to the email.
>>>
>>> Ryan
this has been applied to the apparmor tree
thanks
More information about the AppArmor
mailing list