[apparmor] [PATCH 1/7] libapparmor: Safeguard aa_getpeercon buffer reallocation
Seth Arnold
seth.arnold at canonical.com
Mon Jun 24 18:23:00 UTC 2013
On Sun, Jun 23, 2013 at 04:23:13PM -0700, Tyler Hicks wrote:
> From: John Johansen <john.johansen at canonical.com>
>
> Protect against bugs in AppArmor's getsockopt() LSM hook from sending
> aa_getpeercon() into an infinite loop.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
> ---
> libraries/libapparmor/src/kernel_interface.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
> index 8252b88..1c3b4df 100644
> --- a/libraries/libapparmor/src/kernel_interface.c
> +++ b/libraries/libapparmor/src/kernel_interface.c
> @@ -599,7 +599,7 @@ out:
> */
> int aa_getpeercon(int fd, char **con)
> {
> - int rc, size = INITIAL_GUESS_SIZE;
> + int rc, last_size, size = INITIAL_GUESS_SIZE;
> char *buffer = NULL;
>
> if (!con) {
> @@ -608,13 +608,15 @@ int aa_getpeercon(int fd, char **con)
> }
>
> do {
> + last_size = size;
> buffer = realloc(buffer, size);
> if (!buffer)
> return -1;
> memset(buffer, 0, size);
>
> rc = aa_getpeercon_raw(fd, buffer, &size);
> - } while (rc == -1 && errno == ERANGE);
> + /* size should contain actual size needed if errno == ERANGE */
> + } while (rc == -1 && errno == ERANGE && size > last_size);
>
> if (rc == -1) {
> free(buffer);
> --
> 1.8.1.2
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130624/06167a42/attachment.pgp>
More information about the AppArmor
mailing list