[PATCH 1/5] UBUNTU: SAUCE: AppArmor: Fix oops after profile removal
Stefan Bader
stefan.bader at canonical.com
Wed Nov 11 13:14:01 UTC 2009
So the problem arises as aa_profile_newest() would return NULL when being
called with replacedby being an error_ptr. And aa_profile_newest() is often
called as producer of the argument to aa_filtered_profile() which tries to
access profile->flags without checking for a NULL pointer.
When using a generic profile (I just assume it is) instead,
is there danger of accidentally dropping it in free_aa_profile()?
if (profile->replacedby && !PTR_ERR(profile->replacedby))
aa_put_profile(profile->replacedby);
Stefan
John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/475619
>
> SRU Justicication: this bug can cause a null pointer dereference kernel
> oops. This will occur any time children profiles are attached to running
> processes. This can occur when change_hat, children profiles or profile
> learning is used.
> ---
> ubuntu/apparmor/policy.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/ubuntu/apparmor/policy.c b/ubuntu/apparmor/policy.c
> index 390bbf6..a772801 100644
> --- a/ubuntu/apparmor/policy.c
> +++ b/ubuntu/apparmor/policy.c
> @@ -322,7 +322,7 @@ void __aa_remove_profile(struct aa_profile *profile,
> if (replacement)
> profile->replacedby = aa_get_profile(replacement);
> else
> - profile->replacedby = ERR_PTR(-EINVAL);
> + profile->replacedby = aa_get_profile(profile->ns->unconfined);
> list_del_init(&profile->base.list);
> if (!(profile->flags & PFLAG_NO_LIST_REF))
> aa_put_profile(profile);
More information about the kernel-team
mailing list