Commit 74b7105e authored Jan 13, 2026 by Ryan Lee Committed by John Johansen Jan 29, 2026

apparmor: return -ENOMEM in unpack_perms_table upon alloc failure

In policy_unpack.c:unpack_perms_table, the perms struct is allocated via
kcalloc, with the position being reset if the allocation fails. However,
the error path results in -EPROTO being retured instead of -ENOMEM. Fix
this to return the correct error code.

Reported-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Fixes: fd1b2b95 ("apparmor: add the ability for policy to specify a permission table")
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent 9b829c0a

security/apparmor/policy_unpack.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -923,8 +923,10 @@ static ssize_t unpack_perms_table(struct aa_ext e, struct aa_perms *perms)
		if (!aa_unpack_array(e, NULL, &size))
		goto fail_reset;
		*perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL);
		if (!*perms)
		goto fail_reset;
		if (!*perms) {
		e->pos = pos;
		return -ENOMEM;
		}
		for (i = 0; i < size; i++) {
		if (!unpack_perm(e, version, &(*perms)[i]))
		goto fail;