Marcus Rueckert
f270973a6c
Accepted submit request 57745 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/57745 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=1
44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: apparmor: Fix use after free in regexp parser
|
|
|
|
There are two cases of use-after-free in the simply_tree_base code. It
|
|
worked in the past because there aren't any allocations between the
|
|
free and the use, so it was still around.
|
|
|
|
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
|
|
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
|
|
while parsing certain profiles.
|
|
|
|
This patch addresses it by saving a pointer to the node to free after
|
|
the node is advanced.
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
parser/libapparmor_re/regexp.yy | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
--- a/parser/libapparmor_re/regexp.yy
|
|
+++ b/parser/libapparmor_re/regexp.yy
|
|
@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di
|
|
Node *i = t->child[!dir];
|
|
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
|
|
if (t->child[dir]->eq(i->child[dir])) {
|
|
+ Node *old = t;
|
|
t->child[!dir]->dup();
|
|
- t->release();
|
|
t = t->child[!dir];
|
|
+ old->release();
|
|
continue;
|
|
}
|
|
}
|
|
// last altnode of chain check other dir as well
|
|
if (t->child[dir]->eq(p->child[!dir])) {
|
|
+ Node *old = t;
|
|
t->child[!dir]->dup();
|
|
- t->release();
|
|
t = t->child[!dir];
|
|
+ old->release();
|
|
continue;
|
|
}
|
|
|