find_attach loops over profile entries and first checks for a DFA, falling
back onto a strcmp otherwise. However, the check if (attach->xmatch->dfa)
did not account for the possibility that (attach->xmatch) could be null.
This occured with a sequence of profile replacements that resulted in a
kernel BUG print due to the null pointer dereference.
To avoid this issue, first check that (attach->xmatch) is not null.
The one-line patch is attached to the email.
Ryan
From b1ac2f6e110b0281a19b65b9005b019c0e996b12 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan....@canonical.com>
Date: Mon, 19 Aug 2024 11:04:08 -0700
Subject: [PATCH] apparmor: fix null pointer deref in find_attach when xmatch
is null
find_attach loops over profile entries and first checks for a DFA, falling
back onto a strcmp otherwise. However, the check if (attach->xmatch->dfa)
did not account for the possibility that (attach->xmatch) could be null.
This occured with a sequence of profile replacements that resulted in a
kernel BUG print due to the null pointer dereference.
To avoid this issue, first check that (attach->xmatch) is not null.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dd457eaedab8..985a5a9cdbd0 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -415,7 +415,7 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm,
* as another profile, signal a conflict and refuse to
* match.
*/
- if (attach->xmatch->dfa) {
+ if (attach->xmatch && attach->xmatch->dfa) {
unsigned int count;
aa_state_t state;
struct aa_perms *perms;
--
2.43.0
