AppArmor overwrites unallocated memory in getprocattr interface

Bug #446595 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
John Johansen
Karmic
Fix Released
High
John Johansen

Bug Description

In ubuntu/apparmor/procattr.c, AppArmor allocates memory for the procattr buffer

  len = strlen(unconfined_str);
  if (ns != default_namespace)
   len += strlen(ns->base.name) + 1;
  str = kmalloc(len + 1, GFP_ATOMIC);

However this is 2 bytes smaller than the actual string because the string "://" which separates the namespace and profile names is 3 bytes not 1 as is done in the above allocation.

  if (ns != default_namespace)
   sprintf(str, "%s://%s", ns->base.name, unconfined_str);

Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Tim Gardner (timg-tpi) wrote :
Changed in linux (Ubuntu Karmic):
importance: Undecided → High
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-13.43

---------------
linux (2.6.31-13.43) karmic; urgency=low

  [ Andy Whitcroft ]

  * Revert "[Upstream] acerhdf: Limit modalias matching to supported
    boards"

  [ Colin Watson ]

  * Use section 'admin' rather than 'base'

  [ John Johansen ]

  * SAUCE: AppArmor: Set error code after structure initialization.
    - LP: #427948
  * SAUCE: AppArmor: Fix off by 2 error in getprocattr mem allocation
    - LP: #446595

  [ Luke Yelavich ]

  * SAUCE: Add sr_mod to the scsi-modules udeb for powerpc

  [ Stefan Bader ]

  * [Upstream] acerhdf: Limit modalias matching to supported boards
    (supersedes previous revert made by Andy Whitcroft)
    - LP: #435958

 -- Tim Gardner <email address hidden> Fri, 09 Oct 2009 10:08:16 -0600

Changed in linux (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.