apparmor: fix potential label refcnt leak in aa_change_profile

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

aa_change_profile() invokes aa_get_current_label(), which returns
a reference of the current task's label.

According to the comment of aa_get_current_label(), the returned
reference must be put with aa_put_label().
However, when the original object pointed by "label" becomes
unreachable because aa_change_profile() returns or a new object
is assigned to "label", reference count increased by
aa_get_current_label() is not decreased, causing a refcnt leak.

Fix this by calling aa_put_label() before aa_change_profile() return
and dropping unnecessary aa_get_current_label().

Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp")
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Xiyu Yang and committed by

John Johansen 5 years ago a0b845ff b85051e7

+1 -2

1 changed file

expand all

security

apparmor

domain.c

+1 -2

security/apparmor/domain.c

··· 1328 1328 ctx->nnp = aa_get_label(label); 1329 1329 1330 1330 if (!fqname || !*fqname) { 1331 + aa_put_label(label); 1331 1332 AA_DEBUG("no profile name"); 1332 1333 return -EINVAL; 1333 1334 } ··· 1346 1345 else 1347 1346 op = OP_CHANGE_PROFILE; 1348 1347 } 1349 - 1350 - label = aa_get_current_label(); 1351 1348 1352 1349 if (*fqname == '&') { 1353 1350 stack = true;