[apparmor] CVE-2024-56741: apparmor: test: Fix memory leak for aa_unpack_strdup()
Ben Hutchings
ben at decadent.org.uk
Sun Mar 2 17:36:35 UTC 2025
Hi all,
CVE-2024-56741 is supposed to be fixed by commit 7290f5923191 "apparmor:
test: Fix memory leak for aa_unpack_strdup()" but I think this
assignment should be rejected.
While a user-triggered memory leak may be exploitable for denial-of-
service, the code that was fixed here is a part of KUnit tests.
KUnit tests usually run a single time at boot, not under user control,
and can then later be invoked through debugfs by the root user.
Firstly, it is intended that the root user can deny service through the
reboot system call, so I don't think additional ways to do this are
security flaws.
Secondly, the KUnit documentation at <https://docs.kernel.org/dev-
tools/kunit/run_manual.html> says:
Note:
KUnit is not designed for use in a production system. It is possible
that tests may reduce the stability or security of the system.
so I don't think security issues in KUnit tests generally deserve CVE
IDs. (That said, the help text for CONFIG_KUNIT does not have such a
warning.)
Ben.
--
Ben Hutchings
Any smoothly functioning technology is indistinguishable
from a rigged demo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250302/6346e1b0/attachment.sig>
More information about the AppArmor
mailing list