From: Xiyu Yang Date: Mon, 20 Apr 2020 05:35:28 +0000 (+0800) Subject: apparmor: Fix aa_label refcnt leak in policy_update X-Git-Tag: v4.19.125~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7018495028f9cc5585b204e49e540ba8930e211;p=thirdparty%2Fkernel%2Fstable.git apparmor: Fix aa_label refcnt leak in policy_update commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream. policy_update() invokes begin_current_label_crit_section(), which returns a reference of the updated aa_label object to "label" with increased refcount. When policy_update() returns, "label" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of policy_update(). When aa_may_manage_policy() returns not NULL, the refcnt increased by begin_current_label_crit_section() is not decreased, causing a refcnt leak. Fix this issue by jumping to "end_section" label when aa_may_manage_policy() returns not NULL. Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 0a57d105cc5ba..1ec1e928cc09c 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -424,7 +424,7 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, */ error = aa_may_manage_policy(label, ns, mask); if (error) - return error; + goto end_section; data = aa_simple_write_to_buffer(buf, size, size, pos); error = PTR_ERR(data); @@ -432,6 +432,7 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, error = aa_replace_profiles(ns, label, mask, data); aa_put_loaddata(data); } +end_section: end_current_label_crit_section(label); return error;