]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
projects / mirror_ubuntu-kernels.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 50a3302)
UBUNTU: SAUCE: apparmor: fix use after free in sk_peer_label
authorJohn Johansen <john.johansen@canonical.com>
Wed, 27 Jun 2018 03:19:19 +0000 (20:19 -0700)
committerAndrea Righi <andrea.righi@canonical.com>
Thu, 9 Mar 2023 14:57:15 +0000 (15:57 +0100)
BugLink: http://bugs.launchpad.net/bugs/1778646
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
security/apparmor/lsm.c patch | blob | blame | history

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 79436956e5f5cd918f85d733917608ca2b436a61..866e8d24cd82d56eace78519fd33cbf27cedd590 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1204,9 +1204,10 @@ static struct aa_label *sk_peer_label(struct sock *sk)
 {
        struct sock *peer_sk;
        struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_label *label = ERR_PTR(-ENOPROTOOPT);
 
        if (ctx->peer)
-               return ctx->peer;
+               return aa_get_label(ctx->peer);
 
        if (sk->sk_family != PF_UNIX)
                return ERR_PTR(-ENOPROTOOPT);
@@ -1214,14 +1215,15 @@ static struct aa_label *sk_peer_label(struct sock *sk)
        /* check for sockpair peering which does not go through
         * security_unix_stream_connect
         */
-       peer_sk = unix_peer(sk);
+       peer_sk = unix_peer_get(sk);
        if (peer_sk) {
                ctx = SK_CTX(peer_sk);
                if (ctx->label)
-                       return ctx->label;
+                       label = aa_get_label(ctx->label);
+               sock_put(peer_sk);
        }
 
-       return ERR_PTR(-ENOPROTOOPT);
+       return label;
 }
 
 /**
@@ -1262,6 +1264,7 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
 done_len:
        if (copy_to_sockptr(optlen, &slen, sizeof(slen)))
                error = -EFAULT;
+       aa_put_label(peer);
 done:
        end_current_label_crit_section(label);
        kfree(name);
Ubuntu combined Linux kernel mirror