44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
|
From: Jeff Mahoney <jeffm@suse.com>
|
||
|
Subject: apparmor: Fix use after free in regexp parser
|
||
|
|
||
|
There are two cases of use-after-free in the simply_tree_base code. It
|
||
|
worked in the past because there aren't any allocations between the
|
||
|
free and the use, so it was still around.
|
||
|
|
||
|
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
|
||
|
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
|
||
|
while parsing certain profiles.
|
||
|
|
||
|
This patch addresses it by saving a pointer to the node to free after
|
||
|
the node is advanced.
|
||
|
|
||
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||
|
---
|
||
|
parser/libapparmor_re/regexp.yy | 6 ++++--
|
||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||
|
|
||
|
--- a/parser/libapparmor_re/regexp.yy
|
||
|
+++ b/parser/libapparmor_re/regexp.yy
|
||
|
@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di
|
||
|
Node *i = t->child[!dir];
|
||
|
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
|
||
|
if (t->child[dir]->eq(i->child[dir])) {
|
||
|
+ Node *old = t;
|
||
|
t->child[!dir]->dup();
|
||
|
- t->release();
|
||
|
t = t->child[!dir];
|
||
|
+ old->release();
|
||
|
continue;
|
||
|
}
|
||
|
}
|
||
|
// last altnode of chain check other dir as well
|
||
|
if (t->child[dir]->eq(p->child[!dir])) {
|
||
|
+ Node *old = t;
|
||
|
t->child[!dir]->dup();
|
||
|
- t->release();
|
||
|
t = t->child[!dir];
|
||
|
+ old->release();
|
||
|
continue;
|
||
|
}
|
||
|
|