Pidgin, 4.14 and App Armor Oops.

Tetsuo Handa penguin-kernel at i-love.sakura.ne.jp
Wed Nov 22 06:49:59 UTC 2017 

Zephaniah E. Loss-Cutler-Hull wrote:
> This seems rather reproducible.

It seems to me that audit_signal_cb() is reading a pointer value rather than
signal number, for the address of aad(sa)->peer and aad(&sa)->signal are the
same due to use of "union" inside "struct apparmor_audit_data".
Thus, I think that this is an AppArmor side problem.

struct apparmor_audit_data {
        int error;
        int type;
        const char *op;
        struct aa_label *label;
        const char *name;
        const char *info;
        u32 request;
        u32 denied;
        union {
                /* these entries require a custom callback fn */
                struct {
                        struct aa_label *peer;
                        struct {
                                const char *target;
                                kuid_t ouid;
                        } fs;
                };
                struct {
                        struct aa_profile *profile;
                        const char *ns;
                        long pos;
                } iface;
                int signal;
                struct {
                        int rlim;
                        unsigned long max;
                } rlim;
                struct {
                        const char *src_name;
                        const char *type;
                        const char *trans;
                        const char *data;
                        unsigned long flags;
                } mnt;
        };
};

static int profile_signal_perm(struct aa_profile *profile,
                               struct aa_profile *peer, u32 request,
                               struct common_audit_data *sa)
{
        struct aa_perms perms;

        if (profile_unconfined(profile) ||
            !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))
                return 0;

        aad(sa)->peer = &peer->label; // Overwrites aad(sa)->signal value.
        profile_match_signal(profile, peer->base.hname, aad(sa)->signal,
                             &perms);
        aa_apply_modes_to_perms(profile, &perms);
        return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); // Oops
}

static int aa_signal_cross_perm(struct aa_profile *sender,
                                struct aa_profile *target,
                                struct common_audit_data *sa)
{
        return xcheck(profile_signal_perm(sender, target, MAY_WRITE, sa),
                      profile_signal_perm(target, sender, MAY_READ, sa));
}

int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
{
        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);

        aad(&sa)->signal = map_signal_num(sig); // Writes aad(sa)->signal value.
        return xcheck_labels_profiles(sender, target, aa_signal_cross_perm,
                                      &sa);
}

More information about the Linux-audit mailing list