From patchwork Tue Nov 10 18:29:10 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 38066 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id D1A10B7099 for ; Wed, 11 Nov 2009 09:02:17 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.60) (envelope-from ) id 1N7vVR-0003AU-EN; Tue, 10 Nov 2009 18:31:53 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.60) (envelope-from ) id 1N7vT8-0002bB-3r for kernel-team@lists.ubuntu.com; Tue, 10 Nov 2009 18:29:30 +0000 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1N7vT8-0002im-2Y; Tue, 10 Nov 2009 18:29:30 +0000 Received: from pool-98-108-130-232.ptldor.fios.verizon.net ([98.108.130.232] helo=canonical.com) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1N7vT7-0001Y8-Ly; Tue, 10 Nov 2009 18:29:30 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/5] UBUNTU: SAUCE: AppArmor: Fix Oops when in apparmor_bprm_set_creds Date: Tue, 10 Nov 2009 10:29:10 -0800 Message-Id: <1257877753-9448-3-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.6.3.3 In-Reply-To: <1257877753-9448-1-git-send-email-john.johansen@canonical.com> References: <1257877753-9448-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/437258 SRU Justification: This can cause an oops at 000068. This will happen to all processes confined or unconfined when name resolution fails at exec. This can happen in a couple different cases, applications like psxe, and mugen munge the process during their decrompress and set up links so that a valid name does not exist. The other way that this can happen is executing code from a path that has been lazily unmounted. This can occur with nfs and automounters, or any mount point that gets unmounted with lazy unmount allowed. If name resolution fails due on exec and a profile is not defined then AppArmor will cause an oops due to a broken conditional leading to dereferencing a profile pointer that is null. Signed-off-by: John Johansen Acked-by: Stefan Bader Acked-by: Andy Whitcroft --- ubuntu/apparmor/domain.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ubuntu/apparmor/domain.c b/ubuntu/apparmor/domain.c index aa25be2..128e527 100644 --- a/ubuntu/apparmor/domain.c +++ b/ubuntu/apparmor/domain.c @@ -248,7 +248,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) sa.base.error = aa_get_name(&bprm->file->f_path, 0, &buffer, (char **) &sa.name); if (sa.base.error) { - if (profile || profile->flags & PFLAG_IX_ON_NAME_ERROR) + if (!profile || profile->flags & PFLAG_IX_ON_NAME_ERROR) sa.base.error = 0; sa.base.info = "Exec failed name resolution"; sa.name = bprm->filename;