diff options
Diffstat (limited to '0003-apparmor-fix-use-after-free-in-sk_peer_label.patch')
-rw-r--r-- | 0003-apparmor-fix-use-after-free-in-sk_peer_label.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/0003-apparmor-fix-use-after-free-in-sk_peer_label.patch b/0003-apparmor-fix-use-after-free-in-sk_peer_label.patch new file mode 100644 index 000000000000..164f2667385f --- /dev/null +++ b/0003-apparmor-fix-use-after-free-in-sk_peer_label.patch @@ -0,0 +1,43 @@ +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 5c54d4588ede7be8a7d14469dec9129f9dafc406..bd37100000fdead3d5c27a316c818d419db5c2b1 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -1135,9 +1135,10 @@ static struct aa_label *sk_peer_label(struct sock *sk) + { + struct sock *peer_sk; + struct aa_sk_ctx *ctx = SK_CTX(sk); ++ struct aa_label *label = ERR_PTR(-ENOPROTOOPT); + + if (ctx->peer) +- return ctx->peer; ++ return aa_get_label(ctx->peer); + + if (sk->sk_family != PF_UNIX) + return ERR_PTR(-ENOPROTOOPT); +@@ -1145,14 +1146,15 @@ static struct aa_label *sk_peer_label(struct sock *sk) + /* check for sockpair peering which does not go through + * security_unix_stream_connect + */ +- peer_sk = unix_peer(sk); ++ peer_sk = unix_peer_get(sk); + if (peer_sk) { + ctx = SK_CTX(peer_sk); + if (ctx->label) +- return ctx->label; ++ label = aa_get_label(ctx->label); ++ sock_put(peer_sk); + } + +- return ERR_PTR(-ENOPROTOOPT); ++ return label; + } + + /** +@@ -1196,6 +1198,7 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, + + } + ++ aa_put_label(peer); + done: + end_current_label_crit_section(label); + |