BugLink: http://bugs.launchpad.net/bugs/480112

SRU Justification: This bug can cause confined process to oops at address 0.
This can occur when executing a process if the LSM_UNSAFE_PTRACE |
LSM_UNSAFE_PTRACE_CAP flags are set. The likely hood of if/how often this
will occur depends on if ptrace is being used.

As reported by Tetsuo Handa on kernel-team mailing list:

In aa_may_change_ptraced_domain, if (!tracer) cred == NULL, and
put_cred(cred) will oops. This will only happen on exec if the task
is marked as LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP, so should
only happen to ptraced tasks that are confined.

Fix this by returning directly from aa_may_change_ptrace_domain if
there is now tracer.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
ubuntu/apparmor/domain.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/ubuntu/apparmor/domain.c b/ubuntu/apparmor/domain.c
index fe89ddc..12e45c6 100644
--- a/ubuntu/apparmor/domain.c
+++ b/ubuntu/apparmor/domain.c
@@ -64,6 +64,10 @@ static int aa_may_change_ptraced_domain(struct task_struct *task,
cred = aa_get_task_policy(tracer, &tracerp);
rcu_read_unlock();

+ /* not ptraced */
+ if (!tracer)
+ return 0;
+
if (!tracerp)
goto out;

--
1.6.3.3


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team