A use-after-free issue can be triggered when running the
following stress-ng workload:
```
sudo stress-ng --apparmor 0 --timeout 30 \
--oom-avoid-bytes 10% --skip-silent --verbose
```
The warning looks like:
```
refcount_t: addition on 0; use-after-free
aa_replace_profiles+0xbe5/0x12a0
policy_update+0xdb/0x170
profile_replace+0x4b/0xb0
```
The issue can be reproduced on both v7.1-rc7 and Ubuntu
6.17.0-35-generic kernels.
aa_get_profile_loaddata() requires the supplied loaddata object
to hold a valid reference. However, the loaddata reference count
may already have reached zero in the replacement loop, resulting
in a use-after-free condition.
Avoid calling aa_get_profile_loaddata() on loaddata objects with
a zero reference count and skip those entries instead.
Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Signed-off-by: Junxiao Chang <[email protected]>
---
security/apparmor/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index b6a5eb4021dbd..98f84d4552697 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1220,7 +1220,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns,
struct aa_label *label,
/* check for duplicate rawdata blobs: space and file dedup */
if (!list_empty(&ns->rawdata_list)) {
list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
- if (aa_rawdata_eq(rawdata_ent, udata)) {
+ if (kref_read(&rawdata_ent->pcount) &&
aa_rawdata_eq(rawdata_ent, udata)) {
struct aa_loaddata *tmp;
tmp = aa_get_profile_loaddata(rawdata_ent);
--
2.43.0
