Commit 5df0c44e authored Sep 10, 2025 by John Johansen

apparmor: Fix double free of ns_name in aa_replace_profiles()



if ns_name is NULL after
1071         error = aa_unpack(udata, &lh, &ns_name);

and if ent->ns_name contains an ns_name in
1089                 } else if (ent->ns_name) {

then ns_name is assigned the ent->ns_name
1095                         ns_name = ent->ns_name;

however ent->ns_name is freed at
1262                 aa_load_ent_free(ent);

and then again when freeing ns_name at
1270         kfree(ns_name);

Fix this by NULLing out ent->ns_name after it is transferred to ns_name

Fixes: 145a0ef2 ("apparmor: fix blob compression when ns is forced on a policy load
")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent d352873b

security/apparmor/policy.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1166,6 +1166,7 @@ ssize_t aa_replace_profiles(struct aa_ns policy_ns, struct aa_label label,
		goto fail;
		}
		ns_name = ent->ns_name;
		ent->ns_name = NULL;
		} else
		count++;
		}