[bug report] apparmor: Parse secmark policy
Dan Carpenter
dan.carpenter at oracle.com
Wed Oct 10 10:42:28 UTC 2018
Hello Matthew Garrett,
The patch 9caafbe2b4cf: "apparmor: Parse secmark policy" from May 24,
2018, leads to the following static checker warning:
security/apparmor/policy_unpack.c:580 unpack_secmark()
warn: should '(struct aa_profile)->secmark' be freed with kzfree()'
security/apparmor/policy_unpack.c
558 profile->secmark_count = size;
559
560 for (i = 0; i < size; i++) {
561 if (!unpack_u8(e, &profile->secmark[i].audit, NULL))
562 goto fail;
563 if (!unpack_u8(e, &profile->secmark[i].deny, NULL))
564 goto fail;
565 if (!unpack_strdup(e, &profile->secmark[i].label, NULL))
566 goto fail;
567 }
568 if (!unpack_nameX(e, AA_ARRAYEND, NULL))
569 goto fail;
570 if (!unpack_nameX(e, AA_STRUCTEND, NULL))
571 goto fail;
572 }
573
574 return 1;
575
576 fail:
577 if (profile->secmark) {
578 for (i = 0; i < size; i++)
579 kfree(profile->secmark[i].label);
^^^^^^^^^^^^^^^^^^^^^^^^^
580 kfree(profile->secmark);
^^^^^^^^^^^^^^^^
Smatch thinks that these need to be zeroed for security. I don't know
the details though.
581 profile->secmark_count = 0;
582 }
583
584 e->pos = pos;
585 return 0;
586 }
regards,
dan carpenter
More information about the Linux-security-module-archive
mailing list