AppArmor overwrites unallocated memory in getprocattr interface

Bug #446595 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
John Johansen
Karmic
High
John Johansen

Bug Description

In ubuntu/apparmor/procattr.c, AppArmor allocates memory for the procattr buffer

  len = strlen(unconfined_str);
  if (ns != default_namespace)
   len += strlen(ns->base.name) + 1;
  str = kmalloc(len + 1, GFP_ATOMIC);

However this is 2 bytes smaller than the actual string because the string "://" which separates the namespace and profile names is 3 bytes not 1 as is done in the above allocation.

  if (ns != default_namespace)
   sprintf(str, "%s://%s", ns->base.name, unconfined_str);

Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Tim Gardner (timg-tpi) wrote :
Changed in linux (Ubuntu Karmic):
importance: Undecided → High
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-13.43

---------------
linux (2.6.31-13.43) karmic; urgency=low

  [ Andy Whitcroft ]

  * Revert "[Upstream] acerhdf: Limit modalias matching to supported
    boards"

  [ Colin Watson ]

  * Use section 'admin' rather than 'base'

  [ John Johansen ]

  * SAUCE: AppArmor: Set error code after structure initialization.
    - LP: #427948
  * SAUCE: AppArmor: Fix off by 2 error in getprocattr mem allocation
    - LP: #446595

  [ Luke Yelavich ]

  * SAUCE: Add sr_mod to the scsi-modules udeb for powerpc

  [ Stefan Bader ]

  * [Upstream] acerhdf: Limit modalias matching to supported boards
    (supersedes previous revert made by Andy Whitcroft)
    - LP: #435958

 -- Tim Gardner <email address hidden> Fri, 09 Oct 2009 10:08:16 -0600

Changed in linux (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers