[PATCH] apparmor: fix use-after-free in policy replacement path

Sat Jun 13 09:42:31 UTC 2026

On 6/12/26 23:04, Junxiao Chang wrote:
> A use-after-free issue can be triggered when running the
> following stress-ng workload:
> 
> ```
> sudo stress-ng --apparmor 0 --timeout 30 \
>      --oom-avoid-bytes 10% --skip-silent --verbose
> ```
> 
> The warning looks like:
> 
> ```
> refcount_t: addition on 0; use-after-free
> aa_replace_profiles+0xbe5/0x12a0
> policy_update+0xdb/0x170
> profile_replace+0x4b/0xb0
> ```
> 
> The issue can be reproduced on both v7.1-rc7 and Ubuntu
> 6.17.0-35-generic kernels.
> 
> aa_get_profile_loaddata() requires the supplied loaddata object
> to hold a valid reference. However, the loaddata reference count
> may already have reached zero in the replacement loop, resulting
> in a use-after-free condition.
> 
> Avoid calling aa_get_profile_loaddata() on loaddata objects with
> a zero reference count and skip those entries instead.
> 
> Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
> Signed-off-by: Junxiao Chang <junxiao.chang at intel.com>

sorry I went with Ruslan Valiyev's earlier patch that fixes the same
issue
    apparmor: fix use-after-free in rawdata dedup loop

> ---
>   security/apparmor/policy.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index b6a5eb4021dbd..98f84d4552697 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -1220,7 +1220,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
>   	/* check for duplicate rawdata blobs: space and file dedup */
>   	if (!list_empty(&ns->rawdata_list)) {
>   		list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
> -			if (aa_rawdata_eq(rawdata_ent, udata)) {
> +			if (kref_read(&rawdata_ent->pcount) && aa_rawdata_eq(rawdata_ent, udata)) {
>   				struct aa_loaddata *tmp;
>   
>   				tmp = aa_get_profile_loaddata(rawdata_ent);