From: Maxime Bélair Date: Wed, 18 Feb 2026 09:27:34 +0000 (+0100) Subject: apparmor: fix potential UAF in aa_replace_profiles X-Git-Tag: v7.2-rc1~43^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b42f95813dc9ceb6bda35afcf914630909a19f9;p=thirdparty%2Fkernel%2Flinux.git apparmor: fix potential UAF in aa_replace_profiles The function aa_replace_profiles was accessing udata->size after calling aa_put_loaddata(udata), causing a potential UAF. Fixed this by saving the size to a local variable before dropping the reference. Fixes: 5ac8c355ae001 ("apparmor: allow introspecting the loaded policy pre internal transform") Reviewed-by: Georgia Garcia Signed-off-by: Maxime Bélair Signed-off-by: John Johansen --- diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 1739a9de9893a..08620984d9505 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -1378,13 +1378,15 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, mutex_unlock(&ns->lock); out: + ssize_t udata_sz = udata->size; + aa_put_ns(ns); aa_put_profile_loaddata(udata); kfree(ns_name); if (error) return error; - return udata->size; + return udata_sz; fail_lock: mutex_unlock(&ns->lock);