apparmor: fix memory leak in verify_header

m-pellizzer · gregkh · commit 4f0889f2df1a · 2026-03-13T17:23:28.000+01:00
commit e38c55d upstream. The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. Fixes: dd51c84 ("apparmor: provide base for multiple profiles to be replaced at once") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -1177,7 +1177,6 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
 {
 	int error = -EPROTONOSUPPORT;
 	const char *name = NULL;
-	*ns = NULL;
 
 	/* get the interface version */
 	if (!aa_unpack_u32(e, &e->version, "version")) {

Original file line number	Diff line number	Diff line change
`@@ -1177,7 +1177,6 @@ static int verify_header(struct aa_ext e, int required, const char *ns)`
`1177`	`1177`	`{`
`1178`	`1178`	`int error = -EPROTONOSUPPORT;`
`1179`	`1179`	`const char *name = NULL;`
`1180`		`- *ns = NULL;`
`1181`	`1180`
`1182`	`1181`	`/* get the interface version */`
`1183`	`1182`	`if (!aa_unpack_u32(e, &e->version, "version")) {`